{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9086", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-05-20T14:44:12.702Z", "datePublished": "2026-06-25T16:16:46.017Z", "dateUpdated": "2026-06-26T06:26:53.231Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.4.13-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.4-19", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.4-19", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4.13", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.6", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.6.4-2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.6::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.6", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.6-8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.6::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.6", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.6-8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.6::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.6.4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.6::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:30049", "name": "RHSA-2026:30049", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:30050", "name": "RHSA-2026:30050", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:30083", "name": "RHSA-2026:30083", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:30084", "name": "RHSA-2026:30084", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-9086", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170", "name": "RHBZ#2480170", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-06-25T15:58:33.359Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "workarounds": [{"lang": "en", "value": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak's Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect."}], "timeline": [{"lang": "en", "time": "2026-05-20T14:43:55.195Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-25T15:58:33.359Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank saku0512 for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-26T06:26:53.231Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-25T17:59:48.293762Z", "id": "CVE-2026-9086", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T17:59:57.632Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-9086", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-25T17:59:48.293762Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T17:59:52.871Z"}}], "cna": {"title": "Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass", "credits": [{"lang": "en", "value": "Red Hat would like to thank saku0512 for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:26.6::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.6", "versions": [{"status": "unaffected", "version": "26.6.4-2", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.6::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.6", "versions": [{"status": "unaffected", "version": "26.6-8", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.6::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.6", "versions": [{"status": "unaffected", "version": "26.6-8", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.6::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.6.4", "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-05-20T14:43:55.195Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-25T15:58:33.359Z", "value": "Made public."}], "datePublic": "2026-06-25T15:58:33.359Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:30083", "name": "RHSA-2026:30083", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:30084", "name": "RHSA-2026:30084", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-9086", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170", "name": "RHBZ#2480170", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak's Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-25T20:56:55.198Z"}, "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}}, "cveMetadata": {"cveId": "CVE-2026-9086", "state": "PUBLISHED", "dateUpdated": "2026-06-25T20:56:55.198Z", "dateReserved": "2026-05-20T14:44:12.702Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-06-25T16:16:46.017Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{}

{"acknowledgement": "Red Hat would like to thank saku0512 for reporting this issue.", "affected_release": [{"advisory": "RHSA-2026:30084", "cpe": "cpe:/a:redhat:build_keycloak:26.6::el9", "package": "rhbk/keycloak-operator-bundle:26.6.4-2", "product_name": "Red Hat build of Keycloak 26.6", "release_date": "2026-06-25T00:00:00Z"}, {"advisory": "RHSA-2026:30084", "cpe": "cpe:/a:redhat:build_keycloak:26.6::el9", "package": "rhbk/keycloak-rhel9:26.6-8", "product_name": "Red Hat build of Keycloak 26.6", "release_date": "2026-06-25T00:00:00Z"}, {"advisory": "RHSA-2026:30084", "cpe": "cpe:/a:redhat:build_keycloak:26.6::el9", "package": "rhbk/keycloak-rhel9-operator:26.6-8", "product_name": "Red Hat build of Keycloak 26.6", "release_date": "2026-06-25T00:00:00Z"}, {"advisory": "RHSA-2026:30083", "cpe": "cpe:/a:redhat:build_keycloak:26.6::el9", "package": "rhbk/keycloak-rhel9", "product_name": "Red Hat build of Keycloak 26.6.4", "release_date": "2026-06-25T00:00:00Z"}], "bugzilla": {"description": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass", "id": "2480170", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak's Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect."}, "name": "CVE-2026-9086", "public_date": "2026-06-25T15:58:33Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-9086\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-9086"], "statement": "This flaw is rated as High. Keycloak's client URI validation is vulnerable to a case-insensitivity issue, allowing attackers to bypass scheme blocklists by using mixed-case `javascript:` or `data:` URIs. This can lead to cross-site scripting (XSS) in the Keycloak origin when a victim interacts with a crafted link, such as during the logout flow. Exploitation requires an authenticated administrator with `manage-client` privileges or access to client registration endpoints, and user interaction.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[26.6.4-2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat build of Keycloak 26.6", "source": "cna", "vendor": "Red Hat"}, "product": "build_of_keycloak", "vendor": "redhat"}], "created": "2026-06-25T17:45:15.447218+00:00", "updated": "2026-06-26T09:36:52.493435+00:00", "vendors": ["redhat", "redhat$PRODUCT$build_of_keycloak"]}