CVE-2026-9086
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Summary
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive javascript: or data: scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.13-1 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-19 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-19 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6.4-2 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-8 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-8 < * | unaffected |
Weaknesses
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Workarounds
To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak's Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the manage-client role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass
Additional References
- https://access.redhat.com/security/cve/CVE-2026-9086
- https://bugzilla.redhat.com/show_bug.cgi?id=2480170
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9086.json
- https://access.redhat.com/errata/RHSA-2026:30050
- https://access.redhat.com/errata/RHSA-2026:30084
- https://access.redhat.com/errata/RHSA-2026:30049
- https://access.redhat.com/errata/RHSA-2026:30083
References
- https://access.redhat.com/errata/RHSA-2026:30049
- https://access.redhat.com/errata/RHSA-2026:30050
- https://access.redhat.com/errata/RHSA-2026:30083
- https://access.redhat.com/errata/RHSA-2026:30084
- https://access.redhat.com/security/cve/CVE-2026-9086
- https://bugzilla.redhat.com/show_bug.cgi?id=2480170
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.