CVE-2026-9086
Analyzed Analyzed - Analysis Complete

Keycloak Client URI Validation Bypass Leads to XSS

Vulnerability report for CVE-2026-9086, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-15

Assigner: Red Hat, Inc.

Description

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
redhat build_of_keycloak From 26.6 (inc) to 26.6.4 (exc)
redhat build_of_keycloak From 26.4 (inc) to 26.4.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-9086 is a vulnerability in Keycloak that allows a remote attacker with administrative privileges, specifically those with the 'manage-client' permission or access to client registration endpoints, to bypass client Uniform Resource Identifier (URI) validation.

The attacker can register a malicious client with a specially crafted redirect URI using a case-insensitive 'javascript:' or 'data:' scheme. This bypass leads to a Cross-Site Scripting (XSS) vulnerability, enabling arbitrary code execution in the Keycloak origin when a victim interacts with the crafted link, such as during the logout flow or within the Admin Console.

Impact Analysis

This vulnerability can lead to arbitrary code execution within the Keycloak origin, which means an attacker could execute malicious scripts in the context of the Keycloak application.

Such an attack could compromise the security of users interacting with Keycloak, potentially leading to session hijacking, unauthorized actions, or exposure of sensitive information.

Because the attacker needs administrative privileges with 'manage-client' permission or access to client registration endpoints, the impact is significant in environments where such privileges are granted.

Detection Guidance

Detection of this vulnerability involves identifying if any malicious clients have been registered with specially crafted redirect URIs that use a case-insensitive "javascript:" or "data:" scheme. Since the vulnerability is related to client registration endpoints and administrative privileges, monitoring and auditing client registrations for suspicious redirect URIs is essential.

Commands or methods to detect this may include querying the Keycloak client configurations to list redirect URIs and searching for those that start with or contain case-insensitive variants of "javascript:" or "data:" schemes.

  • Use Keycloak Admin REST API or CLI tools to list all clients and their redirect URIs.
  • Search for redirect URIs matching regex patterns like `(?i)^(javascript:|data:)` to detect case-insensitive matches.
  • Example command using a REST API call (replace placeholders accordingly):
  • curl -X GET -H "Authorization: Bearer <admin-token>" https://<keycloak-server>/auth/admin/realms/<realm>/clients | jq '.[] | select(.redirectUris[] | test("^(?i)(javascript:|data:)") )'
Mitigation Strategies

Immediate mitigation steps include restricting administrative access to only trusted users with the `manage-client` permission, auditing existing clients for malicious redirect URIs, and removing or correcting any clients that use unsafe URI schemes.

Additionally, applying any available patches or updates from Keycloak that address this vulnerability is critical to prevent exploitation.

  • Audit and remove clients with redirect URIs using case-insensitive "javascript:" or "data:" schemes.
  • Limit `manage-client` permissions to trusted administrators only.
  • Apply official security patches or updates from Keycloak as soon as they become available.
  • Monitor logs and client registrations for suspicious activity.
Compliance Impact

The vulnerability in Keycloak allows a remote attacker with administrative privileges to bypass client URI validation and execute arbitrary code via a crafted redirect URI. This Cross-Site Scripting (XSS) flaw could lead to unauthorized actions within the Keycloak system.

Such unauthorized code execution and potential misuse of administrative privileges could impact the confidentiality and integrity of authentication and authorization processes managed by Keycloak.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized access or code execution in identity management systems can pose risks to data protection and privacy requirements mandated by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart