Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0073

NIXPKGS-2026-0073
published on
Permalink CVE-2025-11429
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    4 packages
    • terraform-providers.keycloak
    • python312Packages.python-keycloak
    • python313Packages.python-keycloak
    • terraform-providers.keycloak_keycloak
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago
Keycloak-server: too long and not settings compliant session

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Affected products

keycloak
  • <26.4.1
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
Red Hat build of Keycloak 26.2.11

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Ignored packages (4)

Package maintainers

Upstream fix: https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d