Intel

AIKIDO-2026-309693

keycloak-services is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)CVE-2026-9086 Published 3 days ago

73

High Risk

This Affects:

JAVAkeycloak-services
1.0.1.Final - 26.6.3
Fixed in 26.6.4
Are you affected? Scan for Free

TL;DR

Keycloak validates client redirect URIs case-sensitively, so a crafted javascript: or data: scheme using mixed case slips past the scheme blocklist. A user who can register or manage clients can store a malicious redirect URI that executes script in the Keycloak origin. The payload fires when a victim follows the crafted link, such as during logout or in the Admin Console, enabling cross-site scripting. The fix makes URI scheme validation case-insensitive.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and untrusted users can register or manage clients with their own redirect URIs.

Background info

keycloak-services is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.1.Final - 26.6.3.

How to fix this

Upgrade the org.keycloak:keycloak-services library to the patch version.