VYPR
Medium severity5.0NVD Advisory· Published Feb 10, 2026· Updated Apr 15, 2026

CVE-2025-11537

CVE-2025-11537

Description

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-quarkus-serverMaven
< 26.5.626.5.6

Affected products

7

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.