Executive Summary

CVE-2026-9086 is a vulnerability in Keycloak that allows a remote attacker with administrative privileges, specifically those with the 'manage-client' permission or access to client registration endpoints, to bypass client Uniform Resource Identifier (URI) validation.

The attacker can register a malicious client with a specially crafted redirect URI using a case-insensitive 'javascript:' or 'data:' scheme. This bypass leads to a Cross-Site Scripting (XSS) vulnerability, enabling arbitrary code execution in the Keycloak origin when a victim interacts with the crafted link, such as during the logout flow or within the Admin Console.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary code execution within the Keycloak origin, which means an attacker could execute malicious scripts in the context of the Keycloak application.

Such an attack could compromise the security of users interacting with Keycloak, potentially leading to session hijacking, unauthorized actions, or exposure of sensitive information.

Because the attacker needs administrative privileges with 'manage-client' permission or access to client registration endpoints, the impact is significant in environments where such privileges are granted.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if any malicious clients have been registered with specially crafted redirect URIs that use a case-insensitive "javascript:" or "data:" scheme. Since the vulnerability is related to client registration endpoints and administrative privileges, monitoring and auditing client registrations for suspicious redirect URIs is essential.

Commands or methods to detect this may include querying the Keycloak client configurations to list redirect URIs and searching for those that start with or contain case-insensitive variants of "javascript:" or "data:" schemes.

• Use Keycloak Admin REST API or CLI tools to list all clients and their redirect URIs.
• Search for redirect URIs matching regex patterns like `(?i)^(javascript:|data:)` to detect case-insensitive matches.
• Example command using a REST API call (replace placeholders accordingly):
• curl -X GET -H "Authorization: Bearer <admin-token>" https://<keycloak-server>/auth/admin/realms/<realm>/clients | jq '.[] | select(.redirectUris[] | test("^(?i)(javascript:|data:)") )'

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting administrative access to only trusted users with the `manage-client` permission, auditing existing clients for malicious redirect URIs, and removing or correcting any clients that use unsafe URI schemes.

Additionally, applying any available patches or updates from Keycloak that address this vulnerability is critical to prevent exploitation.

• Audit and remove clients with redirect URIs using case-insensitive "javascript:" or "data:" schemes.
• Limit `manage-client` permissions to trusted administrators only.
• Apply official security patches or updates from Keycloak as soon as they become available.
• Monitor logs and client registrations for suspicious activity.

Useful 0 Not Useful 0