Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Keycloak Login Page Allows Remote Code Execution
CVE-2026-37980
GHSA-m32f-8vh9-2hh3
Summary
A critical flaw in the Keycloak login page for organization selection can allow a hacker with administrative privileges to inject malicious code into a user's browser, potentially leading to stolen sessions, unauthorized account actions, or further attacks. This vulnerability affects users who have access to the login page with special permissions. To protect your users, update your Keycloak installation to the latest version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| maven | – | org.keycloak:keycloak-services | <= 26.5.5 |
Original title
Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page
Original description
A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.
nvd CVSS3.1
6.9
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 14 Apr 2026 · Updated: 16 Apr 2026 · First seen: 14 Apr 2026