CVE-2025-11538
Keycloak-server: debug default bind address
In short
Keycloak's debug mode exposes a Java debugging port to the entire network by default, allowing attackers on the same network to remotely control the server and execute malicious code.
Technical detail
When debug mode is enabled via --debug flag, the JDWP port binds to 0.0.0.0 instead of localhost, exposing it to network-accessible attackers. An unauthenticated attacker with network access can attach a remote debugger to achieve arbitrary code execution within the Keycloak JVM without requiring valid credentials.
Summary generated and translated by AI from the official description.
A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
Keycloak · keycloakRed Hat · Red Hat build of Keycloak 26.4Red Hat · Red Hat build of Keycloak 26.4.4Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://access.redhat.com/errata/RHSA-2025:21370https://access.redhat.com/errata/RHSA-2025:21371https://access.redhat.com/security/cve/CVE-2025-11538https://bugzilla.redhat.com/show_bug.cgi?id=2402622https://github.com/keycloak/keycloak/commit/9e98f2bf961f68853cea6fbec58b512ed8be7ca9https://github.com/keycloak/keycloak/pull/43574