CVE-2026-9086 in Keycloak
Summary
by MITRE • 06/25/2026
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
This vulnerability exists within the Keycloak identity and access management platform where an attacker with administrative privileges can exploit a flaw in URI validation mechanisms. The issue stems from insufficient validation of client redirect URIs during the registration process, specifically when handling case-insensitive schemes such as javascript: and data:. The vulnerability is particularly concerning because it allows for bypassing security controls that are meant to prevent malicious redirection attempts. According to CWE-79, this represents a classic cross-site scripting vulnerability where the application fails to properly validate and sanitize input before processing it in a context where it will be executed by other users. The flaw operates at the application layer and can be classified under ATT&CK technique T1203, which involves exploitation of web applications through malicious redirects.
The technical implementation of this vulnerability occurs when an attacker registers a client with a redirect URI that uses the javascript: or data: scheme in a case-insensitive manner. The system fails to perform proper validation checks that would normally prevent such dangerous URI schemes from being registered, allowing the attacker to register a malicious client that can execute arbitrary code in the context of the Keycloak origin. This occurs because the URI validation logic does not properly normalize or canonicalize the URI scheme before performing security checks, creating a bypass opportunity for attackers who can leverage case variations to circumvent the security controls. The vulnerability particularly affects the logout flow and Admin Console functionality where users may be redirected to malicious URIs that execute JavaScript code in their browser context.
The operational impact of this vulnerability is significant as it enables remote code execution in the context of the Keycloak application, potentially allowing attackers to escalate privileges, access sensitive administrative functions, or perform unauthorized actions within the identity management system. The attack requires only administrative privileges with manage-client permissions or access to client registration endpoints, which are often more readily available than full administrative access. Victims can be tricked into clicking malicious links during logout processes or while navigating through the Admin Console, making this a particularly dangerous vulnerability for organizations relying on Keycloak for identity management. The vulnerability effectively undermines the security model of the platform by allowing attackers to execute arbitrary code in the browser context of legitimate users.
Organizations should implement immediate mitigations including strengthening URI validation logic to enforce case-sensitive scheme matching and implementing comprehensive input sanitization for all redirect URIs during client registration. The system should normalize URI schemes before performing validation checks and maintain an explicit blacklist of dangerous URI schemes such as javascript: and data:. Additionally, organizations should consider implementing proper access controls to limit who can register clients or modify existing client configurations, particularly restricting these capabilities to trusted administrators only. Security monitoring should be enhanced to detect anomalous client registration patterns and suspicious redirect URI usage. The mitigation strategy aligns with NIST SP 800-53 security controls related to input validation and access control, ensuring that the vulnerability cannot be exploited through unauthorized client registration activities. Regular security assessments and penetration testing should be conducted to identify potential bypass opportunities in similar validation mechanisms across other applications.