Home

Description

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

PUBLISHED Reserved 2025-10-09 | Published 2025-11-13 | Updated 2025-11-13 | Assigner redhat




MEDIUM: 6.8CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

Binding to an Unrestricted IP Address

Product status

Default status
affected

26.4.4-1 (rpm) before *
unaffected

Default status
affected

26.4-3 (rpm) before *
unaffected

Default status
affected

26.4-3 (rpm) before *
unaffected

Default status
unaffected

Timeline

2025-10-09:Reported to Red Hat.
2025-11-13:Made public.

Credits

This issue was discovered by Steven Hawkins (Red Hat).

References

access.redhat.com/errata/RHSA-2025:21370 (RHSA-2025:21370) vendor-advisory

access.redhat.com/errata/RHSA-2025:21371 (RHSA-2025:21371) vendor-advisory

access.redhat.com/security/cve/CVE-2025-11538 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2402622 (RHBZ#2402622) issue-tracking

cve.org (CVE-2025-11538)

nvd.nist.gov (CVE-2025-11538)

Download JSON