CVE-2025-11538 MEDIUM

CVE-2025-11538: Keycloak-server: debug default bind address

Vendor Keycloak
Product keycloak
Weakness CWE-1327
Published November 13, 2025
Last update December 19, 2025

CVSS base score

6.8/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

Key dates

02Disclosure timeline

November 13, 2025 CVE published
December 19, 2025 Record updated