Home

Description

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.

PUBLISHED Reserved 2026-04-06 | Published 2026-04-14 | Updated 2026-04-14 | Assigner redhat




MEDIUM: 6.9CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
affected

Timeline

2026-04-06:Reported to Red Hat.
2026-04-06:Made public.

References

access.redhat.com/security/cve/CVE-2026-37980 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2455325 (RHBZ#2455325) issue-tracking

cve.org (CVE-2026-37980)

nvd.nist.gov (CVE-2026-37980)

Download JSON