CVE-2025-11537 Overview
A security flaw was discovered in Keycloak where sensitive authentication headers are exposed in cleartext when verbose logging patterns are configured. When the logging format is set to user-supplied patterns such as the pre-defined 'long' pattern, Authorization and Cookie headers are disclosed to log files. An attacker with read access to log files can extract credentials including bearer tokens and session cookies, enabling user impersonation and full account compromise.
Critical Impact
Attackers with log file access can extract bearer tokens and session cookies to impersonate users and fully compromise accounts.
Affected Products
- Keycloak (specific versions not disclosed)
Discovery Timeline
- 2026-02-10 - CVE-2025-11537 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2025-11537
Vulnerability Analysis
This vulnerability falls under CWE-117 (Improper Output Neutralization for Logs), representing an information disclosure flaw in Keycloak's logging subsystem. The core issue stems from how Keycloak handles HTTP request logging when verbose patterns are enabled.
When administrators configure logging to use detailed formats like the built-in 'long' pattern, the application fails to sanitize sensitive HTTP headers before writing them to log files. This means that Authorization headers containing bearer tokens and Cookie headers containing session identifiers are written in cleartext, creating a persistent record of credentials that should never be stored.
The vulnerability requires local access to the system where Keycloak logs are stored. An attacker who gains read access to these log files—whether through a separate vulnerability, insider access, or misconfigured file permissions—can harvest authentication credentials from historical log entries. These credentials can then be replayed to impersonate legitimate users.
Root Cause
The root cause is improper output neutralization in Keycloak's logging implementation. When verbose logging patterns are configured, the application includes HTTP request headers in log output without properly sanitizing or redacting sensitive authentication data. The logging subsystem treats Authorization and Cookie headers the same as non-sensitive headers, leading to credential exposure in log files.
Attack Vector
This vulnerability has a local attack vector requiring the attacker to have read access to log files on the system running Keycloak. The attack sequence involves:
- An attacker gains read access to Keycloak log files (through misconfigured permissions, another vulnerability, or legitimate but abused access)
- The attacker searches log files for Authorization and Cookie header entries
- Bearer tokens and session cookies are extracted from log entries
- The attacker uses the harvested credentials to impersonate affected users
The attack requires user interaction in the sense that legitimate users must authenticate through the Keycloak instance while verbose logging is enabled, generating the log entries containing their credentials.
Detection Methods for CVE-2025-11537
Indicators of Compromise
- Unusual read access patterns to Keycloak log files or directories
- Log analysis tools or scripts being executed against authentication logs
- Session tokens being used from unexpected IP addresses or locations
- Multiple authentication sessions for users that should only have single sessions
- Evidence of log file exfiltration or copying to unauthorized locations
Detection Strategies
- Monitor file access events for Keycloak log directories using file integrity monitoring solutions
- Implement anomaly detection for log file access patterns, alerting on unusual read operations
- Track session token usage and flag tokens being used from multiple distinct network locations
- Review logging configurations regularly to identify verbose patterns that may expose sensitive data
Monitoring Recommendations
- Enable audit logging for all file system access to Keycloak log directories
- Configure SentinelOne Singularity Platform to monitor for suspicious file access patterns on log files
- Implement SIEM rules to correlate log file access with subsequent authentication anomalies
- Deploy endpoint detection to identify credential harvesting tools or scripts targeting log files
How to Mitigate CVE-2025-11537
Immediate Actions Required
- Review current Keycloak logging configuration and disable verbose patterns like 'long' that include request headers
- Rotate all bearer tokens and invalidate active sessions that may have been exposed during the vulnerable period
- Restrict file system permissions on log directories to only essential service accounts
- Audit log file access to identify any potential credential harvesting that has already occurred
- Implement log file encryption at rest to protect historical data
Patch Information
Consult the Red Hat CVE-2025-11537 Advisory for official patch information and updated Keycloak versions that address this vulnerability. Additional technical details are available in Red Hat Bug Report #2402616.
Workarounds
- Configure Keycloak to use logging patterns that exclude request headers, particularly avoiding the 'long' pattern
- Implement log sanitization filters to redact Authorization and Cookie headers before they are written to disk
- Restrict log file permissions to prevent unauthorized read access using appropriate file system ACLs
- Consider redirecting sensitive logs to a secure, centralized logging system with access controls
- Enable log rotation with short retention periods to minimize the window of credential exposure
The vulnerability can be mitigated through configuration changes that prevent sensitive headers from being logged. Modify the logging format in your Keycloak configuration to use a pattern that excludes request headers, or implement a custom log filter that redacts sensitive values before they reach the log file.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
