CVE-2025-11537

MEDIUM

Keycloak - Info Disclosure

Title source: llm

Description

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.

References (2)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-11537

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2402616

Scores

CVSS v3 5.0

EPSS 0.0001

EPSS Percentile 0.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Classification

CWE

CWE-117

Status draft

Affected Products (1)

org.keycloak/keycloak-quarkus-server < 26.6.0Maven

Timeline

Published Feb 10, 2026

Tracked Since Feb 18, 2026