CVE Catalog

CVE-2026-9086

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile — higher than 34% of all known CVEs

Summary

A flaw was found in Keycloak allowing a remote attacker with administrative privileges (specifically those with `manage-client` permission or access to client registration endpoints) to bypass client URI validation. The attacker can register a malicious client with a crafted redirect URI using case-insensitive `javascript:` or `data:` schemes, leading to a Cross-Site Scripting (XSS) vulnerability.

Risk Assessment

The risk involves arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or Admin Console. This could lead to session hijacking, data theft, or further privilege escalation.

Recommendation

Immediately update Keycloak to a patched version. Additionally, restrict `manage-client` permissions to trusted administrators and implement server-side URI validation.

Original NVD description (English source)

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS