PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9086 Red Hat CVE debrief

CVE-2026-9086 is a high-severity vulnerability in Keycloak that allows a remote attacker with administrative privileges to bypass client URI validation, leading to Cross-Site Scripting (XSS). An attacker can register a malicious client with a specially crafted redirect URI using a case-insensitive 'javascript:' or 'data:' scheme. When a victim clicks the crafted link, such as in the logout flow or the Admin Console, arbitrary code can be executed in the Keycloak origin. This issue affects Keycloak versions 26.4 and 26.6 prior to specific patches.

Vendor
Red Hat
Product
Red Hat build of Keycloak 26.4
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-25
Original CVE updated
2026-07-01
Advisory published
2026-06-25
Advisory updated
2026-07-01

Who should care

Organizations using Keycloak for authentication and authorization should prioritize patching this vulnerability. Attackers with administrative privileges could exploit this issue to execute malicious code, potentially leading to unauthorized access or data breaches. Keycloak administrators and security teams should review their deployments and apply the necessary patches.

Technical summary

CVE-2026-9086 is a Cross-Site Scripting (XSS) vulnerability in Keycloak caused by inadequate client URI validation. An attacker with 'manage-client' permission or access to client registration endpoints can register a malicious client with a crafted redirect URI. The vulnerability uses a case-insensitive 'javascript:' or 'data:' scheme to bypass validation. When a victim interacts with the crafted link, such as during logout or in the Admin Console, the attacker's code executes within the Keycloak origin. The Common Vulnerability Scoring System (CVSS) v3.1 score for this vulnerability is 7.3, indicating high severity.

Defensive priority

Apply patches immediately. Restrict access to client registration and management endpoints.

Recommended defensive actions

  • Apply the patches provided by Red Hat for Keycloak versions 26.4 and 26.6.
  • Restrict access to client registration and management endpoints to only trusted administrators.
  • Implement additional monitoring for suspicious client registration attempts and anomalous user behavior.
  • Review and update Keycloak configurations to ensure proper URI validation and encoding practices.
  • Consider implementing compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent XSS attacks.

Evidence notes

The CVE-2026-9086 vulnerability was publicly disclosed on June 25, 2026, and last modified on July 1, 2026. The vulnerability affects Keycloak versions 26.4 and 26.6 prior to specific patches. Red Hat has provided errata and patches for affected versions.

Official resources

This article was generated with AI assistance based on the supplied source corpus.