CVE-2025-11537

MEDIUM

Keycloak - Info Disclosure

Title source: llm

Description

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.

References (2)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-11537

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2402616

Scores

CVSS v3 5.0

EPSS 0.0001

EPSS Percentile 0.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-117

Status published

Products (2)

org.keycloak/keycloak-quarkus-server 0 - 26.6.0Maven

Red Hat/Red Hat Build of Keycloak

Published Feb 10, 2026

Tracked Since Feb 18, 2026