Bug 2480170 (CVE-2026-9086) - CVE-2026-9086 keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass
Summary: CVE-2026-9086 keycloak: Keycloak: Cross-site scripting (XSS) via case-insensi...
Keywords:
Status: NEW
Alias: CVE-2026-9086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-20 14:45 UTC by OSIDB Bzimport
Modified: 2026-06-25 15:59 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-20 14:45:36 UTC
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.


Note You need to log in before you can comment on or make changes to this bug.