PatchSiren cyber security CVE debrief
CVE-2026-9086 Red Hat CVE debrief
CVE-2026-9086 is a high-severity vulnerability in Keycloak that allows a remote attacker with administrative privileges to bypass client URI validation, leading to Cross-Site Scripting (XSS). An attacker can register a malicious client with a specially crafted redirect URI using a case-insensitive 'javascript:' or 'data:' scheme. When a victim clicks the crafted link, such as in the logout flow or the Admin Console, arbitrary code can be executed in the Keycloak origin. This issue affects Keycloak versions 26.4 and 26.6 prior to specific patches.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.4
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-25
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-06-25
- Advisory updated
- 2026-07-01
Who should care
Organizations using Keycloak for authentication and authorization should prioritize patching this vulnerability. Attackers with administrative privileges could exploit this issue to execute malicious code, potentially leading to unauthorized access or data breaches. Keycloak administrators and security teams should review their deployments and apply the necessary patches.
Technical summary
CVE-2026-9086 is a Cross-Site Scripting (XSS) vulnerability in Keycloak caused by inadequate client URI validation. An attacker with 'manage-client' permission or access to client registration endpoints can register a malicious client with a crafted redirect URI. The vulnerability uses a case-insensitive 'javascript:' or 'data:' scheme to bypass validation. When a victim interacts with the crafted link, such as during logout or in the Admin Console, the attacker's code executes within the Keycloak origin. The Common Vulnerability Scoring System (CVSS) v3.1 score for this vulnerability is 7.3, indicating high severity.
Defensive priority
Apply patches immediately. Restrict access to client registration and management endpoints.
Recommended defensive actions
- Apply the patches provided by Red Hat for Keycloak versions 26.4 and 26.6.
- Restrict access to client registration and management endpoints to only trusted administrators.
- Implement additional monitoring for suspicious client registration attempts and anomalous user behavior.
- Review and update Keycloak configurations to ensure proper URI validation and encoding practices.
- Consider implementing compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent XSS attacks.
Evidence notes
The CVE-2026-9086 vulnerability was publicly disclosed on June 25, 2026, and last modified on July 1, 2026. The vulnerability affects Keycloak versions 26.4 and 26.6 prior to specific patches. Red Hat has provided errata and patches for affected versions.
Official resources
-
CVE-2026-9086 CVE record
CVE.org
-
CVE-2026-9086 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c - Third Party Advisory
This article was generated with AI assistance based on the supplied source corpus.