Keycloak logs sensitive headers

描述

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.

Patches are available, see:

  • https://github.com/keycloak/keycloak/releases/tag/26.4.11
  • https://github.com/keycloak/keycloak/releases/tag/26.5.6
  • https://github.com/keycloak/keycloak/releases/tag/26.6.0

基本信息

类型
reviewed
严重度
medium
GitHub 上的公告
打开公告 ↗
仓库公告
源代码
浏览源码 ↗
公开(公告)
2026-02-10 12:30:28 UTC
更新时间
2026-04-08 21:55:48 UTC
GitHub 审核
2026-02-11 19:08:55 UTC
NVD 公开
2026-02-10

EPSS Score

Score Percentile
0.01% 0.26%

CVSS Scores

Base score Version Severity Vector
5.0 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 点击展开
攻击向量 (AV:L)
需要先拿到目标主机上的执行面,或依赖其他用户误操作/恶意操作来触发。
攻击复杂度 (AC:L)
前置条件清晰,成功路径稳定,不依赖罕见竞态或苛刻环境。
权限要求 (PR:L)
一般用户权限即可,不必是管理员或 root。
用户交互 (UI:R)
需要一次明确的用户动作(安装、改配置、打开恶意文档等)才会落地。
作用域 (S:U)
破坏局限在脆弱组件原本的安全权限与信任域之内。
机密性影响 (C:H)
批量读取、导出或长期潜伏窃取机密数据,在实战上成立。
完整性影响 (I:N)
对记录真实性与不可否认性的破坏可忽略。
可用性影响 (A:N)
不至于造成业务意义上的长时间停摆或灾难性性能崩塌。

Identifiers

CWEs

CWE id Name
CWE-117 Improper Output Neutralization for Logs

Credits

  • julianladisch (analyst)
  • eminaktas (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.keycloak:keycloak-quarkus-server < 26.5.6 26.5.6

References

cvelogic Threat Intelligence