A critical security flaw (CVE-2022-1274) has been recently discovered in the Keycloak's execute-actions-email endpoint, which can allow malicious actors to inject arbitrary HTML into emails sent to Keycloak users. This vulnerability poses a significant risk to users, as it can be misused to carry out phishing or other attacks. This post provides an in-depth analysis of the exploit details, code snippets, links to original references, and possible defenses against this vulnerability.

Exploit Details

The vulnerability resides in Keycloak's execute-actions-email endpoint, which is designed to perform various actions, such as resetting passwords, through email messages. The issue occurs when malicious HTML is included as a user-supplied input, which is then embedded in the email template without proper sanitization. This allows an attacker to craft an email with malicious content (such as links to phishing websites) and send it to Keycloak users.

Code Snippet

A simple example of an HTML injection payload in the execute-actions-email endpoint could look like this:

    <title>Malicious Email</title>
    <h1>Important Security Update</h1>
      Please click the link below to update your Keycloak security settings:
    <a href="http://phishing.example.com/keycloak-update">Update Settings</a>

This payload could be included in the email template which, when sent to Keycloak users, would display a message instructing them to update their security settings on a malicious website.

Original References

A detailed explanation of the vulnerability has been published by the Keycloak team in their advisory:

- Keycloak Security Advisory: CVE-2022-1274

Furthermore, resources such as NIST and Red Hat provide additional information about the vulnerability and its potential impact:

- NIST National Vulnerability Database: CVE-2022-1274 Detail
- Red Hat Customer Portal: CVE-2022-1274

Defense Measures

In order to mitigate the risks posed by this vulnerability, organizations and individuals using Keycloak should take the following steps:

- Update Keycloak to the latest version: The Keycloak team has released patches that fix this vulnerability. All users should upgrade to the latest version of Keycloak as soon as possible. Patched versions can be found in the Keycloak Releases page.
- Perform input validation and output sanitization: To prevent HTML injection attacks, always validate user input and sanitize output that includes user-supplied data. This ensures that malicious payloads are removed from the data before it is embedded in email templates or other content.
- Educate users about phishing attacks: On a broader level, organizations should ensure that their users are educated about the risks of phishing attacks and recognize the signs of a malicious email.


The CVE-2022-1274 vulnerability in Keycloak's execute-actions-email endpoint highlights the importance of proper input validation and output sanitization in web applications. By updating to the latest version of Keycloak and implementing robust defenses, organizations can mitigate the risks posed by this and similar vulnerabilities.


Published on: 03/29/2023 21:15:00 UTC
Last modified on: 04/08/2023 01:55:00 UTC