Keycloak Error Description Injection Vulnerability in the Account Console

Vulnerability

A vulnerability exists in Keycloak's account console and other pages, where the error_description query parameter can be injected with arbitrary text. This text is rendered on error pages without any validation or sanitization. Although HTML encoding mitigates cross-site scripting (XSS) risks, this flaw allows attackers to create URLs with deceptive messages, such as fake support phone numbers or URLs. These messages are displayed within the trusted Keycloak user interface, potentially leading to phishing attacks by tricking users into contacting malicious parties.

Impact

Exploitation of this vulnerability creates a phishing opportunity, as misleading messages can be injected into the Keycloak user interface, potentially deceiving users into contacting malicious actors.

Added: Sep 5, 2025, 8:31 PM

Updated: Sep 5, 2025, 8:31 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.5

remediation

0.0

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.5

remediation

0.0

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak Error Description Injection Vulnerability in the Account Console

Vulnerability

Impact

Affected Products

Red Hat Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating