Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page

GHSA-m32f-8vh9-2hh3 · CVE-2026-37980

Published Apr 14, 2026 · Modified Apr 16, 2026

Description

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with manage-realm or manage-organizations administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the organization.alias is placed into an inline JavaScript onclick handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-37980
WEB https://github.com/keycloak/keycloak/issues/48049
WEB https://access.redhat.com/security/cve/CVE-2026-37980
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2455325
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes