Description
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
References
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30049
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30050
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30083
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30084
- VENDOR_ADVISORYhttps://access.redhat.com/security/cve/CVE-2026-9086
- MISChttps://bugzilla.redhat.com/show_bug.cgi?id=2480170