CVE-2025-11429: 
Java vulnerability analysis and mitigation

A logic flaw (CVE-2025-11429) was discovered in Keycloak's session management system on October 7, 2025. The vulnerability affects Keycloak's handling of the "Remember Me" realm setting, where the system fails to immediately enforce the disabling of this feature on existing user sessions. This flaw impacts Keycloak versions prior to 26.4.1, particularly affecting the org.keycloak:keycloak-services package (Miggo Database, Red Hat CVE).

The vulnerability has been assigned a CVSS v3.1 score of 5.4 with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The flaw is categorized as CWE-613 and lies in the session expiration logic, which relies on the session-local "remember-me" flag without validating the current realm-level configuration. The issue specifically occurs in the isSessionValid function within AuthenticationManager.java, where sessions created with "Remember Me" enabled retain their extended session lifetime even after the feature is disabled at the realm level (Miggo Database).

When exploited, this vulnerability allows sessions created while "Remember Me" was active to retain their extended session lifetime until they expire, effectively overriding the administrator's security configuration changes. This increases the potential window for successful session hijacking and unauthorized long-term access persistence (Debian Tracker, Red Hat CVE).

The vulnerability has been patched in Keycloak version 26.4.1. The fix includes modifications to the isSessionValid method in AuthenticationManager.java, adding explicit checks to validate if a user session has the rememberMe flag set while the realm has disabled the rememberMe feature. Red Hat notes that for unpatched systems, mitigation options are either not available or do not meet their Product Security criteria for ease of use, deployment, and stability (Miggo Database, Red Hat CVE).

The vulnerability was discovered by Alexander Schwartz of Red Hat, highlighting the ongoing security research efforts within the company. The issue has been classified as having moderate severity by Red Hat (Red Hat CVE).