Keycloak logs sensitive headers

GHSA-gv3v-2cpp-3pmq · CVE-2025-11537

Published Feb 10, 2026 · Modified Apr 9, 2026

Description

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.

Patches are available, see:

https://github.com/keycloak/keycloak/releases/tag/26.4.11
https://github.com/keycloak/keycloak/releases/tag/26.5.6
https://github.com/keycloak/keycloak/releases/tag/26.6.0

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-11537
WEB https://github.com/keycloak/keycloak/commit/137a35c1109ff43a305f26264978a3ea21452373
WEB https://github.com/keycloak/keycloak/commit/5a3cdb7c4ccbf83ffc926f70d655a60269d7207b
WEB https://github.com/keycloak/keycloak/commit/9622f550a6e565b29a3a37454421f08626791a6c
WEB https://access.redhat.com/security/cve/CVE-2025-11537
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2402616
PACKAGE https://github.com/keycloak/keycloak
WEB https://www.keycloak.org/server/logging#_change_log_formatpattern

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes