← All CVEs

CVE-2026-9086

HIGH 7.3

Published 2026-06-25 · Last modified 2026-06-30

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.

ELEVATED IMPACT

Severe if exploited (CVSS 7.3), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.4%chance of exploitation in 30 days · 34th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

7.3CVSS 3.1 · HIGH

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: Requires a low-privilege account
  • User interaction: A user must take an action (click / open a file)
  • Complexity: No special conditions — reliably repeatable

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Red Hat

Products Red Hat Build Of Keycloak 26.4 Red Hat Build Of Keycloak 26.4.13 Red Hat Build Of Keycloak 26.6 Red Hat Build Of Keycloak 26.6.4

Weakness (CWE)

  • CWE-79: Cross-site scripting (XSS)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References

Advisories

Sources: NVD · CVE.org · EPSS