Main Vulnerability Database Vulnerabilities #VU135693

Cross-site scripting in Keycloak - CVE-2026-9086

Published: June 29, 2026

Vulnerability identifier: #VU135693

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-9086

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Keycloak

Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code in the Keycloak origin.

The vulnerability exists due to cross-site scripting in client URI validation when processing a specially crafted redirect URI with a case-insensitive javascript: or data: scheme. A remote user can register a malicious client and supply a crafted link to execute arbitrary code in the Keycloak origin.

User interaction is required to click the crafted link, such as during the logout flow or in the Admin Console.

How to mitigate CVE-2026-9086

Install security update from vendor's website.

Sources

https://github.com/keycloak/keycloak/security/advisories/GHSA-v3f7-2p4r-mwfw

Cross-site scripting in Keycloak - CVE-2026-9086

Detailed vulnerability description

How to mitigate CVE-2026-9086

Sources

Please verify you're human