CVE-2026-9086
ADVISORY - dockerSummary
Description
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive javascript: or data: scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
EPSS Score: 0.00412 (0.330)
Common Weakness Enumeration (CWE)
ADVISORY - redhat
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Docker
CREATED
UPDATED
ADVISORY ID
CVE-2026-9086
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| keycloak | dhi | - | - | <26.6.4 | 26.6.4 |
Severity and metrics
No CVSS data available from this advisory.
Red Hat
CREATED
UPDATED
ADVISORY IDCVE-2026-9086
EXPLOITABILITY SCORE
2.1
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)