Skip to content

26.6.3

Latest
Latest

Choose a tag to compare

View all tags
@keycloak-bot keycloak-bot released this 04 Jun 17:00
· 633 commits to main since this release
26.6.3
8a67e82

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #47707 CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names account/ui
  • #47935 [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation oidc
  • #48036 [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint authorization-services
  • #48709 [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled account/api
  • #48805 CVE-2026-42581 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
  • #49118 [CVE-2026-8922] OIDC token introspection ignores realm-level notBefore when client-level notBefore is set oidc
  • #49133 [CVE-2026-8830] Missing server-side WebAuthn validations during credential registration authentication/webauthn
  • #49174 [CVE-2026-9088] Group Members Endpoint Bypasses User Profile Permissions admin/fine-grained-permissions
  • #49175 [CVE-2026-9087] Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login identity-brokering
  • #49426 [CVE-2026-9802] Server restart resets startupTime, allowing reuse of rotated refresh tokens when revokeRefreshToken=true oidc
  • #49428 [CVE-2026-9794] SAML ECP faultstring discloses client existence and configuration state saml
  • #49431 [CVE-2026-9791] Organization data exposed in tokens and account API when Organizations feature is disabled at realm level organizations
  • #49433 [CVE-2026-0707] ClientRegistrationAuth DoS via malformed Authorization header (CVE-2026-0707 incomplete fix) admin/api
  • #49434 [CVE-2026-9801] DoS in LDAP federation via malformed PasswordPolicyControl ldap
  • #49435 [CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange oidc
  • #49436 [CVE-2026-9792] ROPC grant bypass in client policy enforcement oidc

Weaknesses

  • #48978 UNSAFE_PATH_PATTERN regex to cover percent-encoded terminators and control characters oidc
  • #48986 Authorization Services: NullPointerException in UMA permission grant when stale permission ticket references removed scope authorization-services
  • #48987 Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting authorization-services
  • #49086 Account resource sharing resolves recipient by username before email, granting access to wrong user authorization-services

Enhancements

  • #48311 Upgrade to Quarkus 3.33.2 dist/quarkus
  • #48695 Add startup check for missing database indexes
  • #49148 Add SPI option to disable FD_SOCK2 failure detection
  • #49526 Update to simple-git 3.36.0
  • #49530 Update to uuid >=13.0.1

Bugs

  • #45957 Handling of CORS requests in the Admin UI ineffective / open for CSRF admin/ui
  • #47036 Account ResourceService user endpoint returns excessive user data in UMA-enabled realms core
  • #48324 UMA IS_ADMIN filter breaks ticket finding authorization-services
  • #48430 Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname oidc
  • #48432 ClientAdapter using wrong value for isFrontChannelLogout oidc
  • #48438 Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted core
  • #48455 ContextNotActiveException during error handling core
  • #48464 Incomplete SCIM schema definition for objects scim
  • #48529 Broken downstream docs formatting on Kubernetes topic docs
  • #48584 Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation core
  • #48628 Client registerNode and unregisterNode endpoints fail authenticating the client core
  • #48681 ExternalLinksTest: oasis-open.org/standard/saml/ returns 403 in CI causing flaky documentation check ci
  • #48716 Missing index IDX_IDP_FOR_LOGIN and IDX_CLIENT_ATT_BY_NAME_VALUE for Microsoft SQL Server core
  • #48744 Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication authentication
  • #48792 Virtual Thread checking is not working infinispan
  • #48806 NPE when accessing Account UI and the ACCOUNT feature is disabled account/api
  • #48877 Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset ldap
  • #48904 Consistent 500 on DELETE of realms via non-browser clients calling REST API admin/api
  • #49058 Keycloak fails to run tests with embedded undertow dist/quarkus
  • #49140 Workflows documentation: offboarding example is incorrectly enclosing the list of revoked roles with double quotes workflows
  • #49149 Disable single thread sender in JGroups infinispan
  • #49151 FIPS jobs fail in CI because java-25-openjdk-devel package is missing testsuite
  • #49163 Enable JGroups message stats infinispan
  • #49194 Use Java 25 again for FIPS jobs testsuite
  • #49222 Incorrect link to Themes documentation docs
  • #49224 Broken links in UI Customization Guide docs
  • #49263 Use the PostgreSQL driver privacy option `logServerErrorDetail` dist/quarkus
  • #49265 Since Hibernate 7, the workaround to not log-and-throw Hibernate errors does not longer work dist/quarkus
  • #49274 JavaScript CI hangs when installing playwright testsuite
  • #49288 Link issue in the documentation for https://www.rfc-editor.org/rfc/rfc7662 docs
  • #49356 SAML async processing leaves a dangling threadlocal transaction dist/quarkus
  • #49611 Realm extensions require Bearer or Drop authorisation admin/api
Assets 22
Loading