6.8

CVE-2025-11538

EPSS 0.01%
Veröffentlicht 13.11.2025 16:47:53
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Keycloak-server: debug default bind address

Debug default bind address

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

Mögliche Gegenmaßnahme

Keycloak Server: Install latest version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

CNA 5 VulnDex Vulnerability Enrichment 3

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerKeycloak

≫

Produkt keycloak

Default Statusunaffected

Version 0

Version < 26.4.4

Status affected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version 26.4.4-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version 26.4-3

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version 26.4-3

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4.4

Default Statusunaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemKeycloak

≫

Produkt Keycloak Server

Version < 26.4.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.016

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	6.8	1.6	5.2	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-1327 Binding to an Unrestricted IP Address

The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.

https://access.redhat.com/security/cve/CVE-2025-11538

https://bugzilla.redhat.com/show_bug.cgi?id=2402622

https://access.redhat.com/errata/RHSA-2025:21370

https://access.redhat.com/errata/RHSA-2025:21371

https://github.com/keycloak/keycloak/commit/9e98f2bf961f68853cea6fbec58b512ed8be7ca9

https://github.com/keycloak/keycloak/pull/43574

https://github.com/keycloak/keycloak/security/advisories/GHSA-j4vq-q93m-4683

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-11538

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-11538

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-11538

EUVD