CVE-2026-9086

Summary

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive javascript: or data: scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Keycloak 26.426.4.13-1 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-19 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-19 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6.4-2 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6-8 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6-8 < *unaffected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Workarounds

To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak's Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the manage-client role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass

Additional References

References