CVE-2025-11537
Awaiting Analysis Awaiting Analysis - Queue
Information Disclosure via Verbose Logging in Keycloak Exposes Credentials

Publication date: 2026-02-10

Last updated on: 2026-02-10

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11537
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
keycloak keycloak *
redhat keycloak to 2025-10-09 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-117 The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-11537 is a vulnerability in Keycloak where sensitive HTTP headers such as Authorization and Cookie are exposed in cleartext within the HTTP access logs when the logging format is configured to a verbose, user-supplied pattern (for example, the predefined "long" pattern).'}, {'type': 'paragraph', 'content': 'This exposure allows an attacker who has read access to the log files to extract credentials like bearer tokens and session cookies.'}, {'type': 'paragraph', 'content': 'With these credentials, the attacker can impersonate users, potentially leading to full account compromise.'}] [1]

Impact Analysis

If an attacker gains read access to the log files containing sensitive headers, they can extract authentication credentials such as bearer tokens and session cookies.

Using these credentials, the attacker can impersonate legitimate users, which may result in full account compromise.

This can lead to unauthorized access to user accounts and potentially sensitive information or actions performed under the compromised accounts.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by examining the Keycloak server\'s HTTP access logs for the presence of sensitive headers such as Authorization and Cookie in cleartext. Specifically, if the logging format is set to a verbose, user-supplied pattern like the predefined "long" pattern, these headers may be exposed.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can search the log files for occurrences of these headers. For example, you might use commands like:'}, {'type': 'list_item', 'content': "grep -i 'Authorization' /path/to/keycloak/logs/access.log"}, {'type': 'list_item', 'content': "grep -i 'Cookie' /path/to/keycloak/logs/access.log"}, {'type': 'paragraph', 'content': 'If these commands return results showing sensitive header values in cleartext, it indicates the vulnerability is present.'}] [1]

Mitigation Strategies

To mitigate this vulnerability immediately, you should avoid using verbose, user-supplied logging formats that expose sensitive headers such as Authorization and Cookie in the logs.

Specifically, configure the Keycloak logging format to exclude sensitive headers or use a less verbose logging pattern that does not log these headers in cleartext.

Additionally, restrict access to the log files to only trusted administrators to prevent unauthorized reading of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart