Main Vulnerability Database Vulnerabilities #VU118564

#VU118564 Insufficient session expiration in Keycloak - CVE-2025-11429

Published: November 17, 2025

Vulnerability identifier: #VU118564

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-11429

CWE-ID: CWE-613

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Keycloak

Software vendor:
Keycloak

Description

The vulnerability allows a remote attacker to compromise sessions of other users.

The vulnerability exists due to Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. A remote attacker can hijack sessions of other users during a short period of time.

Remediation

Install updates from vendor's website.

#VU118564 Insufficient session expiration in Keycloak - CVE-2025-11429

Description

Remediation

External links

Please verify you're human