CVE-2025-11538

Description

A vulnerability exists in Keycloak's server distribution where enabling debug mode (`--debug`) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (`0.0.0.0`). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine. Red Hat evaluates this as a Moderate impact vulnerability due to the requirement of running debug mode and untrusted network. Also, for Red Hat Single Sign-On, this must as well be bound to 0.0.0.0 address, which is not recommended in production scenarios.

How to fix CVE-2025-11538

To remediate CVE-2025-11538, upgrade the affected package to a fixed version below.

• —upgrade to 26.4.4 or later

Is CVE-2025-11538 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 26.4.4

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-11538
• PATCHgithub.com/keycloak/keycloak
• WEBaccess.redhat.com/errata/RHSA-2025:21370
• WEBaccess.redhat.com/errata/RHSA-2025:21371
• WEBaccess.redhat.com