CVE-2025-11537

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.0 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N                                    

Vulnerability Description

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.

Vulnerability Details

Published Date

February 10, 2026

Last Modified

February 11, 2026

CWE ID

CWE-117

Source

NVD

Vendor

Red Hat

Product

Red Hat Build of Keycloak

External References

https://access.redhat.com/security/cve/CVE-2025-11537
https://bugzilla.redhat.com/show_bug.cgi?id=2402616

CVE-2025-11537

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment