CVE-2025-11537
Information Disclosure via Verbose Logging in Keycloak Exposes Credentials
Publication date: 2026-02-10
Last updated on: 2026-02-10
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
| redhat | keycloak | to 2025-10-09 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-117 | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-11537 is a vulnerability in Keycloak where sensitive HTTP headers such as Authorization and Cookie are exposed in cleartext within the HTTP access logs when the logging format is configured to a verbose, user-supplied pattern (for example, the predefined "long" pattern).'}, {'type': 'paragraph', 'content': 'This exposure allows an attacker who has read access to the log files to extract credentials like bearer tokens and session cookies.'}, {'type': 'paragraph', 'content': 'With these credentials, the attacker can impersonate users, potentially leading to full account compromise.'}] [1]
How can this vulnerability impact me? :
If an attacker gains read access to the log files containing sensitive headers, they can extract authentication credentials such as bearer tokens and session cookies.
Using these credentials, the attacker can impersonate legitimate users, which may result in full account compromise.
This can lead to unauthorized access to user accounts and potentially sensitive information or actions performed under the compromised accounts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by examining the Keycloak server\'s HTTP access logs for the presence of sensitive headers such as Authorization and Cookie in cleartext. Specifically, if the logging format is set to a verbose, user-supplied pattern like the predefined "long" pattern, these headers may be exposed.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can search the log files for occurrences of these headers. For example, you might use commands like:'}, {'type': 'list_item', 'content': "grep -i 'Authorization' /path/to/keycloak/logs/access.log"}, {'type': 'list_item', 'content': "grep -i 'Cookie' /path/to/keycloak/logs/access.log"}, {'type': 'paragraph', 'content': 'If these commands return results showing sensitive header values in cleartext, it indicates the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should avoid using verbose, user-supplied logging formats that expose sensitive headers such as Authorization and Cookie in the logs.
Specifically, configure the Keycloak logging format to exclude sensitive headers or use a less verbose logging pattern that does not log these headers in cleartext.
Additionally, restrict access to the log files to only trusted administrators to prevent unauthorized reading of sensitive information.