VYPR
Medium severity5.4OSV Advisory· Published Oct 23, 2025· Updated Apr 15, 2026

CVE-2025-11429

CVE-2025-11429

Description

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-servicesMaven
>= 26.3.0, < 26.4.126.4.1
org.keycloak:keycloak-servicesMaven
< 26.2.1126.2.11

Affected products

12

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.