Zero Day MonitorZDM

← Back to list

7.3

CVE-2026-9086EXPLOITEDPATCHED

red hat · keycloak

Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass

Description

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.

Affected Products

Vendor	Product	Versions
red hat	keycloak	—

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	open source keycloak	cert_advisory	90%

References

https://access.redhat.com/errata/RHSA-2026:30049(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:30050(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:30083(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:30084(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/security/cve/CVE-2026-9086(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2480170(issue-tracking, x_refsource_REDHAT)

Related News (2 articles)

Tier B

BSI Advisories1d ago

[NEU] [hoch] Keycloak: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-9086 | Keycloak on Red Hat Redirect cross site scripting

→ No new info (linked only)

CVSS 3.17.3 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

26.6-826.6.4-2

CWECWE-79

PublishedJun 25, 2026

Last enriched2d agov2

Trending Score45

Source articles2

Independent2

Info Completeness6/14

Missing: versions, cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-9800EXP

Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison

NONECVE-2026-9083EXP

Keycloak: keycloak: information disclosure through arbitrary filesystem path probing

CRITICALCVE-2026-12992EXP

Apicurio/apicurio-registry: apicurio-registry: ssrf via wsdl4j import dereference in wsdl full validation

HIGHCVE-2026-12993EXP

Apicurio/apicurio-registry: apicurio-registry: xml entity-expansion denial of service via internal dtd subset

NONECVE-2026-13325EXP

Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 25, 2026

Discovered by ZDM

Jun 25, 2026

Updated: description, severity, activelyExploited

Jun 25, 2026

Actively Exploited

Jun 26, 2026

Patch Available

Jun 26, 2026

Version History

v2

Last enriched 2d ago

v2Tier C2d ago

Updated description with new details, changed severity to HIGH, and marked the vulnerability as actively exploited.

descriptionseverityactivelyExploited

via VulDB

v12d ago

Initial creation