CVE-2025-11429

EPSS 0.12%
Veröffentlicht 23.10.2025 14:15:35
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Keycloak-server: too long and not settings compliant session

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

CNA 5 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerKeycloak

≫

Produkt keycloak

Default Statusunaffected

Version 0

Version < 26.4.1

Status affected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2.11-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-12

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-12

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2.11

Default Statusunaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.303

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://access.redhat.com/security/cve/CVE-2025-11429

https://bugzilla.redhat.com/show_bug.cgi?id=2402148

https://access.redhat.com/errata/RHSA-2025:22089

https://access.redhat.com/errata/RHSA-2025:22088

https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d

https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b

https://github.com/keycloak/keycloak/issues/43328

https://nvd.nist.gov/vuln/detail/CVE-2025-11429

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-11429

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-11429

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-11429