CVE-2026-9086
HIGH 7.3A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
Severe if exploited (CVSS 7.3), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.4%chance of exploitation in 30 days · 34th percentile
Impact if exploited
7.3CVSS 3.1 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityNone
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ⚠Privileges: Requires a low-privilege account
- ⚠User interaction: A user must take an action (click / open a file)
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Vendors Red Hat
Products Red Hat Build Of Keycloak 26.4 Red Hat Build Of Keycloak 26.4.13 Red Hat Build Of Keycloak 26.6 Red Hat Build Of Keycloak 26.6.4
Weakness (CWE)
- CWE-79: Cross-site scripting (XSS)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N