CVE-2025-11419 - Vulnerability Details

- Keycloak: keycloak tls client-initiated renegotiation denial of service

Description

A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.

Published: 2025-12-23

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Keycloak permits an unauthenticated remote attacker to trigger repeated TLS 1.2 client‑initiated renegotiation requests, consuming significant CPU resources and rendering the service unavailable. The vulnerability does not affect confidentiality or integrity, but it can be used to cause a temporary loss of availability for any users or clients relying on the Keycloak instance.

Affected Systems

The security advisory lists Red Hat build of Keycloak 26.0—including the 26.0.16 revision—and Red Hat build of Keycloak 26.2, including the 26.2.10 revision, as affected products. All other builds not listed remain unaffected.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate‑to‑severe risk, yet the EPSS score is below 1 % and the vulnerability is not currently listed in the CISA KEV catalog, suggesting a low probability of widespread exploitation. An attacker only needs the ability to connect to the Keycloak server and initiate TLS renegotiation; no authentication or privileged credentials are required. Once engaged, the repeated renegotiation cycles can exhaust CPU resources, leading to a denial of service that lasts until the server restarts or the workload is mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`0`	affected	< 26.0.16
`26.1.0`	unknown	< 26.1.*
`26.2.0`	affected	< 26.2.10
`26.3.0`	unknown	< 26.3.*
`26.4.0`	affected	< 26.4.1

Red Hat

Red Hat build of Keycloak 26.0

affected

Version	Status	Constraints
`26.0.16-2`	unaffected	< *

Red Hat

Red Hat build of Keycloak 26.0

affected

Version	Status	Constraints
`26.0-20`	unaffected	< *

Red Hat

Red Hat build of Keycloak 26.0

affected

Version	Status	Constraints
`26.0-21`	unaffected	< *

Red Hat Red Hat build of Keycloak 26.0.16 unaffected —

Red Hat

Red Hat build of Keycloak 26.2

affected

Version	Status	Constraints
`26.2.10-2`	unaffected	< *

Red Hat

Red Hat build of Keycloak 26.2

affected

Version	Status	Constraints
`26.2-11`	unaffected	< *

Red Hat

Red Hat build of Keycloak 26.2

affected

Version	Status	Constraints
`26.2-11`	unaffected	< *

Red Hat Red Hat build of Keycloak 26.2.10 unaffected —

No data.

No data available yet.

Remediation

Vendor Workaround

To mitigate this vulnerability, configure Keycloak to reject client-initiated TLS renegotiation by adding the following Java system property to the Keycloak startup configuration: -Djdk.tls.rejectClientInitiatedRenegotiation=true This prevents unauthenticated attackers from triggering repeated TLS renegotiations and exhausting server CPU resources. Additionally, ensure that Keycloak is deployed behind proper network access controls and rate-limiting mechanisms to further reduce exposure to DoS attacks.

OpenCVE Recommended Actions

Apply the Red Hat security updates RHSA‑2025‑18254 and RHSA‑2025‑18255 that contain the Keycloak patch.
If a patch is unavailable, start Keycloak with the Java system property –Djdk.tls.rejectClientInitiatedRenegotiation=true to disable client‑initiated TLS renegotiation.
Configure network‑level controls, such as a firewall or web‑application firewall, to limit the rate of TLS handshake attempts and further protect the service from potential DoS traffic.

Generated by OpenCVE AI on April 22, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-q8hq-4h99-fj7x	Keycloak TLS Client-Initiated Renegotiation Denial of Service

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:18254
https://access.redhat.com/errata/RHSA-2025:18255
https://access.redhat.com/errata/RHSA-2025:18889
https://access.redhat.com/errata/RHSA-2025:18890
https://access.redhat.com/security/cve/CVE-2025-11419
https://bugzilla.redhat.com/show_bug.cgi?id=2402142
https://github.com/keycloak/keycloak/discussions/25209
https://github.com/keycloak/keycloak/issues/43020
https://nvd.nist.gov/vuln/detail/CVE-2025-11419
https://www.cve.org/CVERecord?id=CVE-2025-11419

History

Mon, 20 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
References		https://github.com/keycloak/keycloak/discussions/25209 https://github.com/keycloak/keycloak/issues/43020

Tue, 23 Dec 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 23 Dec 2025 20:45:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.
Title	keycloak: Keycloak TLS Client-Initiated Renegotiation Denial of Service	Keycloak: keycloak tls client-initiated renegotiation denial of service
First Time appeared		Redhat Redhat build Keycloak
CPEs		cpe:/a:redhat:build_keycloak:26.0 cpe:/a:redhat:build_keycloak:26.0::el9 cpe:/a:redhat:build_keycloak:26.2::el9
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/errata/RHSA-2025:18254 https://access.redhat.com/errata/RHSA-2025:18255 https://access.redhat.com/errata/RHSA-2025:18889 https://access.redhat.com/errata/RHSA-2025:18890 https://access.redhat.com/security/cve/CVE-2025-11419 https://bugzilla.redhat.com/show_bug.cgi?id=2402142

Wed, 08 Oct 2025 00:15:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		keycloak: Keycloak TLS Client-Initiated Renegotiation Denial of Service
Weaknesses		CWE-770
References		https://nvd.nist.gov/vuln/detail/CVE-2025-11419 https://www.cve.org/CVERecord?id=CVE-2025-11419
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Important`

Subscriptions

Redhat Build Keycloak

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-12-23T20:42:38.699Z

Updated: 2026-04-20T17:45:58.307Z

Reserved: 2025-10-07T11:19:18.134Z

Link: CVE-2025-11419

Vulnrichment

Updated: 2025-12-23T20:52:32.002Z

NVD

Status : Deferred

Published: 2025-12-23T21:15:46.557

Modified: 2026-04-20T18:16:22.450

Link: CVE-2025-11419

Redhat

Severity : Important

Publid Date: 2025-10-07T00:00:00Z

Links: CVE-2025-11419 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object