CVE-2025-11429
Published: Oct 23, 2025
Modified: Jan 20, 2026
CVSS v3.1
5.4
Description
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.
| Vendor | Product | Versions |
|---|---|---|
Keycloak | keycloak | affected 0 - < 26.4.1 |
Red Hat | Red Hat build of Keycloak 26.2 | unaffected 26.2.11-1 - < * |
Red Hat | Red Hat build of Keycloak 26.2 | unaffected 26.2-12 - < * |
Red Hat | Red Hat build of Keycloak 26.2 | unaffected 26.2-12 - < * |
Red Hat | Red Hat build of Keycloak 26.2.11 | All versions |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now