Insufficient session expiration in Keycloak - CVE-2025-11429
Published: November 17, 2025
Vulnerability identifier: #VU118564
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-11429
CWE-ID: CWE-613
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Keycloak
Affected software:
Keycloak
Keycloak
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise sessions of other users.
The vulnerability exists due to Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. A remote attacker can hijack sessions of other users during a short period of time.
How to mitigate CVE-2025-11429
Install updates from vendor's website.