CVE-2024-4028 is a security vulnerability identified in Keycloak version 18.0.8, a widely used open-source identity and access management solution. The flaw arises from improper input validation when a privileged user creates items such as Resources and Permissions through the administrative console. Specifically, an attacker with administrative privileges can inject malicious scripts into the permission fields. These scripts are then stored persistently within the system, leading to a stored cross-site scripting (XSS) vulnerability. When other administrators or users with access to the affected interface view these permissions, the malicious scripts can execute in their browsers, potentially allowing session hijacking, privilege escalation, or other malicious actions. The vulnerability does not require user interaction beyond the attacker’s initial privileged access and does not affect system availability. The CVSS 3.1 base score is 3.8, reflecting a low severity primarily due to the requirement of high privileges and limited impact on confidentiality and integrity. No public exploits have been reported to date. The vulnerability was published in February 2025, with no official patches linked yet, indicating the need for immediate attention from administrators to mitigate risks.

For European organizations, the impact of CVE-2024-4028 is primarily on the confidentiality and integrity of administrative sessions within Keycloak deployments. Since Keycloak is often used to manage authentication and authorization for enterprise applications, a successful stored XSS attack could allow an attacker to hijack admin sessions, manipulate permissions, or gain unauthorized access to sensitive identity data. This could lead to broader compromise of connected systems and data breaches. The requirement for privileged access limits the threat to insiders or attackers who have already compromised administrative credentials. However, given the critical role of Keycloak in identity management, even limited exploitation could disrupt secure operations and erode trust in authentication infrastructure. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Organizations relying on Keycloak 18.0.8 should consider the risk significant enough to warrant prompt mitigation, especially in sectors with stringent data protection regulations such as finance, healthcare, and government.

1. Restrict administrative console access strictly to trusted personnel and secure it with multi-factor authentication to reduce the risk of privileged account compromise. 2. Monitor and audit administrative actions within Keycloak to detect unusual permission creation or modification activities. 3. Implement web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting the admin console. 4. Sanitize and validate all inputs on the server side, especially those related to permissions and resource creation, to prevent injection of malicious scripts. 5. Regularly update Keycloak to the latest stable versions once patches addressing CVE-2024-4028 are released. 6. Consider isolating the admin console network access or using VPNs to limit exposure. 7. Educate administrators about the risks of stored XSS and safe handling of permission configurations. 8. Conduct penetration testing focused on the admin interface to identify any residual injection flaws.