CVE-2025-11429

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A logic flaw exists in Keycloak’s session management. The software does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active maintain their extended session lifetime until they expire, bypassing the administrator’s recent security configuration change. This flaw stems from the session expiration logic relying on the session-local "remember-me" flag without verifying the current realm-level configuration. This increases the potential for session hijacking or unauthorized long-term access.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.