7.3
CVE-2026-9086
- EPSS 0.42%
- Veröffentlicht 25.06.2026 16:16:46
- Zuletzt bearbeitet 01.07.2026 17:23:37
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass
Cross-site scripting (xss) via case-insensitive uri validation bypass
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Build Of Keycloak Version >= 26.4 < 26.4.13
Redhat ≫ Build Of Keycloak Version >= 26.6 < 26.6.4
VulnDex Vulnerability Enrichment
Weitere Schwachstelleninformationen
SystemKeycloak
≫
Produkt
Keycloak Server
Version
< 26.6.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.42% | 0.337 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 7.3 | 2.1 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.3 | 2.1 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://access.redhat.com/security/cve/CVE-2026-9086
https://bugzilla.redhat.com/show_bug.cgi?id=2480170
https://access.redhat.com/errata/RHSA-2026:30083
https://access.redhat.com/errata/RHSA-2026:30084
https://access.redhat.com/errata/RHSA-2026:30049
https://access.redhat.com/errata/RHSA-2026:30050
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9086.json
https://github.com/keycloak/keycloak/security/advisories/GHSA-v3f7-2p4r-mwfw