CVE-2022-1274 - How a Simple HTML Injection Flaw in Keycloak's Email Endpoint Puts User Security at Risk

_Keycloak_ is a popular open source identity and access management solution. It helps businesses handle things like user logins, signups, password resets, and more. But, in early 2022, security researchers found a troubling vulnerability in Keycloak that could have a big impact: CVE-2022-1274.

This post will walk you through what the vulnerability is, why it matters, how attackers can use it, and steps you can take to keep your users safe.

What is CVE-2022-1274?

At its core, CVE-2022-1274 is an HTML injection vulnerability in Keycloak’s /execute-actions-email endpoint. If you’re not familiar, that’s an API endpoint responsible for sending out emails when certain actions are triggered—like asking users to reset their password or update account details.

The flaw: Keycloak did not properly sanitize user input in action-triggered emails. This means attackers could inject arbitrary HTML specifically into emails sent from your Keycloak instance to your users.

Why it matters: If an attacker can control even a small piece of content in an email, they might insert links, forms, scripts, or other HTML elements designed to trick your users—classic phishing territory.

How Does the Attack Work?

To trigger the bug, an attacker finds a way to initiate the execute-actions-email endpoint with a crafted payload. For example, during account recovery or password resets, an attacker enters a malicious value in a field that gets reflected in the email body.

Here’s a Simplified Attack Scenario

1. Attacker signs up or triggers an action where some profile field (say, "first name" or "username") ends up in the “action email” sent from Keycloak.

`html

Click me

`

3. Keycloak sends a legitimate-looking email to the user—or, with some variations, the attacker could inject their HTML into emails destined for *other* users.

4. The victim opens the email. The raw HTML is rendered, and the phishing link (“Click me”) appears convincing within a trusted email ("From: no-reply@yourcompany.com" or similar).

The victim clicks the link, potentially giving up sensitive data to the attacker.

The seriousness? Emails from trusted sources like account management portals are much more likely to be opened—and believed—by users.

The problematic code in Keycloak (simplified for clarity) looked something like this

// Java pseudo-code from Keycloak's email sending logic
String emailBody = "<p>Hello " + user.getFirstName() + ",</p>" +
                   "<p>Click this link to reset your password: " + resetLink + "</p>";
sendEmail(user.getEmail(), "Reset your password", emailBody);

The problem: If user.getFirstName() contains HTML, it goes straight into the email. So if the value is <img src=x onerror=alert('XSS')>, the HTML shows up in the user's inbox.

`

Verify your account now!

`

Hello Verify your account now!,
 
  To reset your password, click here: https://keycloak.example.com/reset?token=XYZ

`

Most modern email clients will render the HTML, making the phishing link look legitimate or official.

References

- CVE Entry: NVD - CVE-2022-1274
- Keycloak Security Advisory: Keycloak Security Advisory 2022-03: HTML Injection in execute-actions-email Endpoint
- Keycloak’s GitHub Issue: KEYCLOAK-17988 - HTML Injection in Action Email Endpoint
- Upstream Fix Commit: GitHub keycloak/9023  

How to Protect Your Users

If you manage a Keycloak instance, upgrade NOW.  
Versions 17..1 and newer include the fix, where user-supplied values are properly sanitized and escaped before being added to emails.

Other steps you can take

- If you can’t upgrade immediately, restrict who can register—especially if self-registration includes unverified fields.
- Scan your email templates for other spots where user input might be directly inserted and sanitize/escape as appropriate.

Summary

CVE-2022-1274 is a prime example of a simple input validation mistake that could allow attackers to launch convincing phishing campaigns right from your own authentication system. Don’t wait to fix this—Keycloak patched the vulnerability quickly, so just update to the latest version.

Stay safe, patch often, and always treat user input as untrusted—even inside ‘trusted’ systems like your SSO provider.


*For more technical details or questions, see the official Keycloak advisory or contact the Keycloak community*.


*(This article is written soberly and exclusively for your awareness—please use this knowledge to protect, not attack.)*

Timeline

Published on: 03/29/2023 21:15:00 UTC
Last modified on: 04/08/2023 01:55:00 UTC