Cross-site scripting (XSS) via case-insensitive URI validation bypass
Summary
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console. A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console. This flaw is rated as High. Keycloak's client URI validation is vulnerable to a case-insensitivity issue, allowing attackers to bypass scheme blocklists by using mixed-case `javascript:` or `data:` URIs. This can lead to cross-site scripting (XSS) in the Keycloak origin when a victim interacts with a crafted link, such as during the logout flow. Exploitation requires an authenticated administrator with `manage-client` privileges or access to client registration endpoints, and user interaction. Red Hat severity: Important — CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N). Weakness: CWE-79. Fixed by RHSA-2026:30050, RHSA-2026:30049, RHSA-2026:30084, RHSA-2026:30083 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat build of Keycloak 26.4; Red Hat build of Keycloak 26.4.13; Red Hat build of Keycloak 26.6; Red Hat build of Keycloak 26.6.4.
- rhbk/keycloak-operator-bundle:26.4.13-1
- rhbk/keycloak-rhel9-operator:26.4-19
- rhbk/keycloak-rhel9
- rhbk/keycloak-rhel9:26.6-8
- rhbk/keycloak-rhel9:26.4-19
- rhbk/keycloak-operator-bundle:26.6.4-2
- rhbk/keycloak-rhel9-operator:26.6-8
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- rhbk/keycloak-operator-bundle:26.4.13-1
- rhbk/keycloak-rhel9:26.4-19
- rhbk/keycloak-rhel9-operator:26.4-19
- rhbk/keycloak-rhel9
- rhbk/keycloak-operator-bundle:26.6.4-2
- rhbk/keycloak-rhel9:26.6-8
- rhbk/keycloak-rhel9-operator:26.6-8
- RHSA-2026:30050
- RHSA-2026:30049
- RHSA-2026:30084
- RHSA-2026:30083
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak's Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.