Skip to content

Releases: keycloak/keycloak

nightly

27 Sep 02:22
@keycloak-bot keycloak-bot
nightly
95cfffc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
nightly Pre-release
Pre-release 
Fix duplicated resource on current and next page in Auth Resources (#…
Loading

26.6.1

15 Apr 13:58
@keycloak-bot keycloak-bot
26.6.1
5bebfac

Choose a tag to compare

View all tags
26.6.1 Latest
Latest

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

Enhancements

  • #47839 Update CloudNativePG to 1.29
  • #47909 Database data at rest encryption

Bugs

  • #47435 AuroraDB IT CI workflow not cleaning up databases testsuite
  • #47737 deploy-testsuite profile is incomplete, causing discrete testsuite execution to fail testsuite
  • #47776 False session type of access token in offline_access refresh token flow with scope parameter without offline_access scope oidc
  • #47827 az vm create fails with JSON parsing error ci
  • #47872 v26.6.0 Operator flood logs with warnings operator
  • #47889 Not possible to sync latest keycloak-admin-client to keycloak-client admin/client-java
  • #47904 @keycloak/keycloak-admin-client fails to install in version 26.6.0 admin/client-js
  • #47905 invalid package reference in keycloak-admin-ui admin/ui
  • #47908 MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication organizations
  • #47929 User profile multiselect options not highlighted as selected in dropdown admin/ui
  • #47955 IdentityProviderAuthenticator creates an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint identity-brokering
  • #48015 Missing explicit docs anchor for organizations docs
  • #48032 Endpoint Response Text during Bootstrap contains Typo: Boostrap dist/quarkus
Assets 23

26.6.0

08 Apr 08:54
@keycloak-bot keycloak-bot
26.6.0
0526b94

Choose a tag to compare

View all tags
26.6.0

Highlights

This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:

  • JWT Authorization Grant, enabling external-to-internal token exchange using externally signed JWT assertions.

  • Federated client authentication, eliminating the need to manage individual client secrets in Keycloak.

  • Workflows, enabling administrators to automate realm administrative tasks such as user and client lifecycle management.

  • Zero-downtime patch releases, allowing rolling updates within a minor release stream without service downtime.

  • The Keycloak Test Framework, replacing the previous Arquillian-based solution.

All of these features are now fully supported and no longer in preview. Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the upgrading guide.

Security and Standards

JWT Authorization Grant (supported)

JWT Authorization Grant (RFC 7523) is designed to implement external-to-internal token exchange use cases. This grant allows using externally signed JWT assertions to request OAuth 2.0 access tokens.

In this release, JWT Authorization Grant is promoted from preview to supported. See the JWT Authorization Grant guide for additional details.

Federated client authentication (supported)

Federated client authentication allows clients to leverage existing credentials once a trust relationship with another issuer exists. It eliminates the need to assign and manage individual secrets for each client in Keycloak.

Federated client authentication is now promoted to supported, including support for client assertions issued by external OpenID Connect identity providers and Kubernetes Service Accounts.

Since the OAuth SPIFFE Client Authentication specification is still in draft status, this feature remains a preview feature in Keycloak.

New guide about Demonstrating Proof-of-Possession (DPoP)

A new guide for OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) in the Securing applications Guides provides information on how to mitigate the risk of stolen tokens by making tokens sender-constrained.

See Securing applications with DPoP for more details.

Identity Brokering APIs V2 (preview)

A new preview version 2 for the Identity Brokering APIs is introduced in this release. When brokering is used during the authentication process, Keycloak allows you to store tokens and responses issued by the external Identity Provider. Applications can call a specific endpoint to retrieve those tokens, which, in turn, can be used to get extra user information or invoke endpoints in the external trust domain. The new version improves the token retrieval endpoint to substitute the internal to external Token Exchange (use case for the legacy Token Exchange V1).

For more information, see the chapter Identity Brokering APIs in the Server Developer Guide.

Step-up authentication for SAML (preview)

The feature step-up-authentication-saml extends the step-up authentication to include the SAML protocol and clients. This feature is in preview mode. Additional information is available in the Server Administration Guide.

OAuth Client ID Metadata Document (experimental)

OAuth Client ID Metadata Document (CIMD) is an emerging standard that defines a JSON document format for describing OAuth 2.0 client metadata. Since version 2025-11-25, the Model Context Protocol (MCP) requires an authorization server to comply with CIMD. Keycloak now includes experimental support for CIMD, allowing it to serve as an authorization server for MCP version 2025-11-25 or later.

See Integrating with Model Context Protocol (MCP) for the updated guide including CIMD.

Many thanks to Takashi Norimatsu for the contribution.

Administration

Workflows (supported)

Workflows allow administrators to automate and orchestrate realm administrative tasks, bringing key capabilities of Identity Governance and Administration (IGA) to Keycloak. By defining workflows in YAML format, you can automate the lifecycle of realm resources such as users and clients based on events, conditions, and schedules.

In this release, Workflows is promoted from preview to supported. This release also includes new built-in steps, a troubleshooting guide, and various improvements to the workflow engine.

For more details, see the Managing workflows chapter in the Server Administration Guide.

Organization groups

Organizations now support isolated group hierarchies, allowing each organization to manage its own teams and departments without naming conflicts across the realm. This update includes Identity Provider mappers to automatically assign federated users to organization groups based on external claims. Group membership is automatically included in OIDC tokens and SAML assertions when an organization context is requested.

For more details, see the Managing organization groups guide.

New Groups scope for user membership changes

Fine-Grained Admin Permissions (FGAP) now includes a new Groups scope: manage-membership-of-members.

This scope is now used as the group-side bridge for evaluating user-side manage-group-membership permissions based on a user’s current group memberships. The existing manage-membership scope keeps its current behavior for target group membership management operations.

Looking up client secrets via the Vault SPI

Secrets for clients can now be managed and looked up by the Vault SPI.

Thank you to Tero Saarni for contributing this change.

Forcing password change for LDAP users

There is now initial support for LDAP password policy control. The support is limited to prompting users to update their password when the LDAP server indicates that the password must be changed. Previously, Keycloak let the user in and ignored the mandatory password reset. There is a new optional setting “Enable LDAP password policy” in the LDAP advanced settings to enable this.

Thank you to Tero Saarni for contributing this change.

Configuring and Running

Java 25 support

Keycloak now supports running with OpenJDK 25. The server container image continues to use OpenJDK 21 for now to support FIPS mode. For details, see the note in the FIPS guide.

Zero-downtime patch releases (supported)

Zero-downtime patch releases allow you to perform rolling updates when upgrading to a newer patch version within the same major.minor release stream without service downtime.

Read more

Contributors

testsetup
Loading

26.5.7

02 Apr 14:47
@keycloak-bot keycloak-bot
26.5.7
97c2dad

Choose a tag to compare

View all tags
26.5.7

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #45493 CVE-2025-14083 keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure admin/api
  • #45569 CVE-2026-1002 - io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files
  • #47069 CVE-2026-3429 Improper Access Control for LoA During Credential Deletion account/api
  • #47716 CVE-2026-4634 Keycloak Application-Level DoS via Scope Processing
  • #47717 CVE-2026-4636 UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
  • #47718 CVE-2026-3872 Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
  • #47719 CVE-2026-4282 Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

Enhancements

  • #46631 Upgrade to Quarkus 3.27.3 dist/quarkus

Bugs

  • #45204 Call without Host header throws uncaught error core
Loading

26.5.6

19 Mar 06:45
@keycloak-bot keycloak-bot
26.5.6
7f8be2d

Choose a tag to compare

View all tags
26.5.6

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #45645 CVE-2026-1180 - Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri oidc
  • #45647 CVE-2026-1035 - Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition oidc
  • #45650 CVE-2025-14777 - Keycloak IDOR in realm client creating/deleting
  • #45653 CVE-2025-14082 keycloak-server: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure
  • #46719 CVE-2026-3121 - Keycloak: Privilege escalation via manage-clients permission
  • #46723 CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API core
  • #46922 CVE-2026-3911 Keycloak: Information disclosure of disabled user attributes via administrative endpoint user-profile
  • #47062 CVE-2026-2366 Authorization Bypass: Unprivileged tokens can enumerate user organization memberships organizations

Bugs

  • #45889 Federated user disabled when external DB unavailable, never re-enabled storage
  • #46239 AUTH_SESSION_ID cookie reuse causes cross-user session contamination on re-authentication authentication
  • #46296 UsersResource.search briefRepresentation started to return user attributes admin/api
  • #46379 Unexpected error when logging out with offline session and external IDP oidc
  • #46459 Operator-built DB config: targetServerType=primary not applied / connection validation not working after master-replica failover (26.5.0) operator
  • #46588 Partial LDAP sync duration does not follow the defined value in user federation ldap
  • #46605 26.5.4 startup regression with many realms: RealmCacheSession.prepareCachedRealm() scans master admin role composites per realm (O(N²)) core
  • #46656 Em-Hyphens in SPI options on cache configuration page docs
  • #46663 JGroups bind port configuration ignored when --cache-embedded-network-bind-port set infinispan
  • #46669 SPIFFE Client assertion throws a NullPointerException if no client is found token-exchange
  • #47079 Do not allow fetching organizations of a member if not a member of the current organization organizations
Loading

26.5.5

05 Mar 15:40
@keycloak-bot keycloak-bot
26.5.5
011adab

Choose a tag to compare

View all tags
26.5.5

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

Loading

26.5.4

20 Feb 09:19
@keycloak-bot keycloak-bot
26.5.4
11aa9bf

Choose a tag to compare

View all tags
26.5.4

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

Enhancements

  • #46090 New key affinity for session ids

Bugs

  • #44488 "Update email" AIA: "Back to Application" URL invokes OIDC callback with missing parameters oidc
  • #45065 Client deletion timeout due to large number of client roles storage
  • #45680 auth_mellon (SAML) authentication fails after upgrade to 26.5.1 (from 26.4.6) saml
  • #45728 Information Disclosure of Client Secret on Unauthenticated Config Endpoint oidc
  • #45874 Disabled organizations still resolve in organization‑aware login flows organizations
  • #45966 KeycloakRealmImport: Realm created in DB but not visible in Admin Console until restart operator
  • #45980 Keycloak cluster with 3 nodes and jdbc-ping stack fails to rejoin after temporary network partition infinispan
  • #46100 Makes Database Query on Every Login Page Load Instead of Using Cache infinispan
  • #46150 Move upgrading note for SAML to 26.5.4 docs
  • #46178 Regression: cannot authenticate in keycloak-admin-client adapter/javascript
  • #46290 Incorrect code used error, leading to "400 / Code already used" during Infinispan state transfers infinispan
  • #46303 JWT Authorization Grant: Always getting “Token was issued too far in the past to be used now” for EntraID issued tokens oidc
  • #46312 io.fabric8:docker-maven-plugin:0.40.3:start failed: Cannot invoke "com.google.gson.JsonElement.isJsonNull()" because the return value of "com.google.gson.JsonObject.get(String)" is null ci
Loading

26.5.3

10 Feb 07:30
@keycloak-bot keycloak-bot
26.5.3
a09588d

Choose a tag to compare

View all tags
26.5.3

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #46144 CVE-2026-1609 Disabled users can still obtain tokens via JWT Authorization Grant
  • #46145 CVE-2026-1529 Forged invitation JWT enables cross-organization self-registration
  • #46146 CVE-2026-1486 Logic Bypass in JWT Authorization Grant Allows Authentication via Disabled Identity Providers
  • #46147 CVE-2025-14778 Incorrect ownership checks in /uma-policy/

Enhancements

  • #45892 Upgrade minikube for CI tests operator

Bugs

  • #44379 Node.js admin client does not refresh tokens admin/client-js
  • #45459 k8s multiple restart (oomkilled) in v26.5.0-0 during startup because of RAM dist/quarkus
  • #45662 Increase in startup memory consumption in post 26.5 versions dist/quarkus
  • #45677 Hibernate Validator is enabled by default when not used dist/quarkus
  • #45708 Unpexted value '' in mixed-cluster-compatibility-tests testsuite
  • #45745 mixed-cluster-compatibility-tests fail due to incorrectly masked content in 26.5 branch ci
  • #45755 Broken YAML indentation in operator rolling updates doc docs
  • #45780 Remove fatal log messages from `ConsistentHash`
Loading

26.5.2

23 Jan 14:26
@keycloak-bot keycloak-bot
26.5.2
4c5b057

Choose a tag to compare

View all tags
26.5.2

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

Enhancements

  • #43443 Keycloak should warn when ISPN or JGROUPS is running in debug level logging
  • #45498 Ignore OpenAPI artifacts when disabled dist/quarkus

Bugs

  • #44785 Can not get through SSO login if using a custom attribute with default value user-profile
  • #45015 Deadlock in Infinispan virtual threads infinispan
  • #45250 IDToken contains duplicate address claims oidc
  • #45333 User admin events don't show role, group mapping, reset password like events admin/ui
  • #45396 Database Migration fails when updating to 26.5.0 on MS SQL core
  • #45415 cache-remote-host becomes mandatory at build time when using clusterless feature infinispan
  • #45417 Unmanaged Attributes Type (Only administrators can view) allows admin API to set Unmanaged Attributes user-profile
  • #45474 Admin REST API document is not up to date docs
  • #45526 Regression (26.5.1): Organizations domain resolution fails on MariaDB/MySQL due to ORG/ORG_DOMAIN collation mismatch organizations
  • #45533 Keycloak should not allow matrix parameters in URLs as we don't use them dist/quarkus
  • #45570 CVE-2025-66560 - io.quarkus/quarkus-rest: Quarkus REST Worker Thread Exhaustion Vulnerability
  • #45584 Keycloak supported specs should list DPoP as supported oidc
  • #45590 OIDCIdentityProviderConfig issuer configuration token-exchange
  • #45597 Possible mismatch of charset/collation between columns on mysql/mariadb organizations
  • #45651 CVE-2025-14559 keycloak-services: Keycloak keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users
Loading

26.5.1

14 Jan 18:09
@keycloak-bot keycloak-bot
26.5.1
228bc50

Choose a tag to compare

View all tags
26.5.1

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #44863 x-robots HTTP header missing for static Keycloak resources, and REST endpoint responses
  • #45009 Performance improvement: Missing indexes on BROKER_LINK table columns
  • #45182 Allow full managing of realms from master realm without global admin role

Bugs

  • #43975 Test Framework -> Embedded server -> Maven execution failure: Failed to read script file from: scripts/default-policy.js test-framework
  • #44371 403 Forbidden when assigning realm-management client roles despite FGAP disabled (regression in 26.4.0+) admin/fine-grained-permissions
  • #44417 Security issue with Organization feature exposes and fills the account name automatically in user/password form organizations
  • #44783 Create Realm button is missing when user has create-realm role admin/ui
  • #44860 Admin UI: slow response time listing second user page admin/ui
  • #45003 Bug in JWTClientAuthenticator and JWTClientSecretAuthenticator causes NPE authentication
  • #45093 Enable visibility of Role Mapping tab for users with view-users role admin/ui
  • #45107 Failed upgrade to 26.4.7 - sql generated for manual database upgrade contains invalid statements storage
  • #45116 Realm-level admininistrators can no longer use Admin Console since 26.3.0 (UI fails to render) admin/ui
  • #45185 ExternalLinkTest fails due to missing _adding_context_for_log_messages anchor docs
  • #45226 Failure when decrypting SAML Response since 26.5.0 saml
  • #45239 Upgrade to 26.5.0 failing due to FK_ORG_INVITATION_ORG constraint organizations
  • #45257 Creating IdentityProvider with latest java admin-client may fail against Keycloak server 26.4 or older admin/client-java
  • #45307 UI Bug: WebAuthn passkey list is broken in keycloak v2 theme login/ui
Loading