CVE-2024-11734 MEDIUM

CVE-2024-11734: Org.keycloak:keycloak-quarkus-server: denial of service in keycloak server via security headers

Vendor Red Hat
Product RHBK 26.0.8
Weakness CWE-693
Published January 14, 2025
Last update November 20, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request.

Key dates

02Disclosure timeline

January 14, 2025 CVE published
November 20, 2025 Record updated