Medium severity5.0NVD Advisory· Published Feb 10, 2026· Updated Apr 15, 2026
CVE-2025-11537
CVE-2025-11537
Description
A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-quarkus-serverMaven | < 26.5.6 | 26.5.6 |
Affected products
7- osv-coords7 versionspkg:apk/chainguard/keycloak-26.5pkg:apk/chainguard/keycloak-26.5-iamguarded-compatpkg:apk/chainguard/keycloak-fips-26.5pkg:apk/chainguard/keycloak-fips-26.5-iamguarded-fipspkg:apk/wolfi/keycloak-26.5pkg:apk/wolfi/keycloak-26.5-iamguarded-compatpkg:maven/org.keycloak/keycloak-quarkus-server
< 26.5.6-r3+ 6 more
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6-r4
- (no CPE)range: < 26.5.6-r4
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-gv3v-2cpp-3pmqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-11537ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-11537nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/keycloak/keycloak/commit/137a35c1109ff43a305f26264978a3ea21452373ghsaWEB
- github.com/keycloak/keycloak/commit/5a3cdb7c4ccbf83ffc926f70d655a60269d7207bghsaWEB
- github.com/keycloak/keycloak/commit/9622f550a6e565b29a3a37454421f08626791a6cghsaWEB
- www.keycloak.org/server/loggingghsaWEB
News mentions
0No linked articles in our index yet.