Keycloak JDWP debug mode auto bind to 0.0.0.0 RCE
CVE-2025-11538 Published on November 13, 2025

Keycloak-server: debug default bind address
A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

Github Repository Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

Attack Vector:
ADJACENT_NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 35 days later.

Weakness Type

Binding to an Unrestricted IP Address

The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.


Products Associated with CVE-2025-11538

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-11538 are published in these products:

Red Hat Build Keycloak
 
Red Hat Keycloak
 

Affected Versions

keycloak: Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4.4:

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-11538

Package Manager Vulnerable Package Versions Fixed In
maven org.keycloak:keycloak-quarkus-dist < 26.4.4 26.4.4

Exploit Probability

EPSS
0.02%
Percentile
4.06%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.