Description
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
Published: 2026-06-25
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw allows an attacker with administrative privileges or access to client registration endpoints to bypass URI validation by registering a malicious client with a redirect URI using a case‑insensitive javascript: or data: scheme. When a victim clicks the crafted link, such as in logout or the Admin Console, native JavaScript code runs in the Keycloak origin. This cross‑site scripting exposure can lead to arbitrary code execution within the Keycloak environment.

Affected Systems

The vulnerable product is Red Hat Build of Keycloak. No specific version details are disclosed, so all deployments of this build should be evaluated. The problem resides in the client registration component and the URL validation logic.

Risk and Exploitability

The CVSS base score for this vulnerability is 7.3, indicating moderate‑to‑high severity. EPSS data is not available, but the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote and requires administrative privileges or client registration access. The likely path involves creating a client with a crafted redirect URI that triggers XSS when a user is redirected to execute arbitrary code in the context of Keycloak.

Generated by OpenCVE AI on June 25, 2026 at 18:40 UTC.

Remediation

Vendor Workaround

To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak's Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect.


OpenCVE Recommended Actions

  • Restrict the ability to register new clients and manage existing client configurations by disabling Dynamic Client Registration or enforcing strict policies that require initial access tokens and prevent anonymous registrations.
  • Ensure that only trusted administrators are granted the manage-client role and that this role is limited to the minimal set of users required.
  • Apply the configuration changes and restart the Keycloak service to ensure they take effect.
  • Monitor Red Hat advisories for an official patch and upgrade to the fixed version as soon as it becomes available.

Generated by OpenCVE AI on June 25, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
References

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.6::el9
References

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
Title Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-79
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}


Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-15T00:38:45.921Z

Reserved: 2026-05-20T14:44:12.702Z

Link: CVE-2026-9086

cve-icon Vulnrichment

Updated: 2026-07-15T00:38:45.921Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T15:58:33Z

Links: CVE-2026-9086 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:52Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')