NIXPKGS-2026-0073

GitHub issue published on 21 Jan 2026

Permalink CVE-2025-11429

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
4 packages
- terraform-providers.keycloak
- python312Packages.python-keycloak
- python313Packages.python-keycloak
- terraform-providers.keycloak_keycloak
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Keycloak-server: too long and not settings compliant session

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Affected products

keycloak

<26.4.1

rhbk/keycloak-rhel9

rhbk/keycloak-rhel9-operator

rhbk/keycloak-operator-bundle

Red Hat build of Keycloak 26.2.11

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable 26.4.5
- nixpkgs-unstable 26.4.5
- nixos-unstable-small 26.4.5

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@NickCao Nick Cao <nickcao@nichi.co>
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>
@talyz Kim Lindberger <kim.lindberger@gmail.com>

Upstream fix: https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0073

Affected products

Matching in nixpkgs

pkgs.keycloak

Package maintainers