Releases: keycloak/keycloak
nightly
Optimize SQL statements and transactions for cacheless profile Closes #49697 Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
26.6.3
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #47707 CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names
account/ui - #47935 [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation
oidc - #48036 [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint
authorization-services - #48709 [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled
account/api - #48805 CVE-2026-42581 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
- #49118 [CVE-2026-8922] OIDC token introspection ignores realm-level notBefore when client-level notBefore is set
oidc - #49133 [CVE-2026-8830] Missing server-side WebAuthn validations during credential registration
authentication/webauthn - #49174 [CVE-2026-9088] Group Members Endpoint Bypasses User Profile Permissions
admin/fine-grained-permissions - #49175 [CVE-2026-9087] Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login
identity-brokering - #49426 [CVE-2026-9802] Server restart resets startupTime, allowing reuse of rotated refresh tokens when revokeRefreshToken=true
oidc - #49428 [CVE-2026-9794] SAML ECP faultstring discloses client existence and configuration state
saml - #49431 [CVE-2026-9791] Organization data exposed in tokens and account API when Organizations feature is disabled at realm level
organizations - #49433 [CVE-2026-0707] ClientRegistrationAuth DoS via malformed Authorization header (CVE-2026-0707 incomplete fix)
admin/api - #49434 [CVE-2026-9801] DoS in LDAP federation via malformed PasswordPolicyControl
ldap - #49435 [CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange
oidc - #49436 [CVE-2026-9792] ROPC grant bypass in client policy enforcement
oidc
Weaknesses
- #48978 UNSAFE_PATH_PATTERN regex to cover percent-encoded terminators and control characters
oidc - #48986 Authorization Services: NullPointerException in UMA permission grant when stale permission ticket references removed scope
authorization-services - #48987 Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting
authorization-services - #49086 Account resource sharing resolves recipient by username before email, granting access to wrong user
authorization-services
Enhancements
- #48311 Upgrade to Quarkus 3.33.2
dist/quarkus - #48695 Add startup check for missing database indexes
- #49148 Add SPI option to disable FD_SOCK2 failure detection
- #49526 Update to simple-git 3.36.0
- #49530 Update to uuid >=13.0.1
Bugs
- #45957 Handling of CORS requests in the Admin UI ineffective / open for CSRF
admin/ui - #47036 Account ResourceService user endpoint returns excessive user data in UMA-enabled realms
core - #48324 UMA IS_ADMIN filter breaks ticket finding
authorization-services - #48430 Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname
oidc - #48432 ClientAdapter using wrong value for isFrontChannelLogout
oidc - #48438 Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted
core - #48455 ContextNotActiveException during error handling
core - #48464 Incomplete SCIM schema definition for objects
scim - #48529 Broken downstream docs formatting on Kubernetes topic
docs - #48584 Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation
core - #48628 Client registerNode and unregisterNode endpoints fail authenticating the client
core - #48681 ExternalLinksTest: oasis-open.org/standard/saml/ returns 403 in CI causing flaky documentation check
ci - #48716 Missing index IDX_IDP_FOR_LOGIN and IDX_CLIENT_ATT_BY_NAME_VALUE for Microsoft SQL Server
core - #48744 Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication
authentication - #48792 Virtual Thread checking is not working
infinispan - #48806 NPE when accessing Account UI and the ACCOUNT feature is disabled
account/api - #48877 Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset
ldap - #48904 Consistent 500 on DELETE of realms via non-browser clients calling REST API
admin/api - #49058 Keycloak fails to run tests with embedded undertow
dist/quarkus - #49140 Workflows documentation: offboarding example is incorrectly enclosing the list of revoked roles with double quotes
workflows - #49149 Disable single thread sender in JGroups
infinispan - #49151 FIPS jobs fail in CI because java-25-openjdk-devel package is missing
testsuite - #49163 Enable JGroups message stats
infinispan - #49194 Use Java 25 again for FIPS jobs
testsuite - #49222 Incorrect link to Themes documentation
docs - #49224 Broken links in UI Customization Guide
docs - #49263 Use the PostgreSQL driver privacy option `logServerErrorDetail`
dist/quarkus - #49265 Since Hibernate 7, the workaround to not log-and-throw Hibernate errors does not longer work
dist/quarkus - #49274 JavaScript CI hangs when installing playwright
testsuite - #49288 Link issue in the documentation for https://www.rfc-edi...
26.6.2
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #47485 CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service
- #47486 CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing
- #47932 [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters
authorization-services - #48049 [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler
organizations - #48275 CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules
core - #48388 [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration
authentication/webauthn - #48570 [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs
core - #49108 [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint
- #49109 [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak
- #49110 [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data
- #49111 [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover
- #49112 [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account
- #49113 [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens
- #49114 [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission
- #49115 [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access)
- #49116 [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration
Enhancements
- #47728 Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide
- #47734 Add dedicated "Monitoring Standbys" section to the general installation documentation
- #48329 JDBC_PING in 26.6 should not fail with 26.7 schema changes
- #48348 Escape expressions in JS blocks in FTL pages
- #48687 Upgrade to Quarkus 3.33.1.1
Bugs
- #38526 Duplicate user attribute values cannot be removed
core - #40602 Account UI reports "Something went wrong" when opening an unknown path
account/ui - #47882 Broken link in deploy-cnpg
docs - #47901 Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled
admin/fine-grained-permissions - #47915 FreeMarker templates allow instantiation of new objects and even running OS commands
login/ui - #47987 FGAP v2 Specific Group permission has no scopes found in resource
admin/fine-grained-permissions - #48030 Update to operator version 26.6.0 needs deletion of all objects
operator - #48040 User session limit generates fatal error
authentication - #48094 Wrong referenced resource type in Workflow handling for clients
core - #48123 Clarify canonicalization in X.509 authentication
authentication - #48143 Ordering of permission and policy calls leads to exposure of a client ID
admin/api - #48185 Deleted workflow still attempting to run
workflows - #48241 JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title
authentication - #48259 Kubernetes identity providers docs still mention it to be a preview feature
docs - #48313 No escape approach for JS code inside the front channel logout FTL
login/ui - #48536 Review migration guide for rolling updates changes
workflows - #48629 WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout
ci
26.6.1
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #47276 CVE-2026-4366 Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling
core - #47619 CVE-2026-4633 Keycloak user enumeration via identity-first login
core
Enhancements
Bugs
- #47435 AuroraDB IT CI workflow not cleaning up databases
testsuite - #47737 deploy-testsuite profile is incomplete, causing discrete testsuite execution to fail
testsuite - #47776 False session type of access token in offline_access refresh token flow with scope parameter without offline_access scope
oidc - #47827 az vm create fails with JSON parsing error
ci - #47872 v26.6.0 Operator flood logs with warnings
operator - #47889 Not possible to sync latest keycloak-admin-client to keycloak-client
admin/client-java - #47904 @keycloak/keycloak-admin-client fails to install in version 26.6.0
admin/client-js - #47905 invalid package reference in keycloak-admin-ui
admin/ui - #47908 MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication
organizations - #47929 User profile multiselect options not highlighted as selected in dropdown
admin/ui - #47955 IdentityProviderAuthenticator creates an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint
identity-brokering - #48015 Missing explicit docs anchor for organizations
docs - #48032 Endpoint Response Text during Bootstrap contains Typo: Boostrap
dist/quarkus
26.6.0
Highlights
This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:
-
JWT Authorization Grant, enabling external-to-internal token exchange using externally signed JWT assertions.
-
Federated client authentication, eliminating the need to manage individual client secrets in Keycloak.
-
Workflows, enabling administrators to automate realm administrative tasks such as user and client lifecycle management.
-
Zero-downtime patch releases, allowing rolling updates within a minor release stream without service downtime.
-
The Keycloak Test Framework, replacing the previous Arquillian-based solution.
All of these features are now fully supported and no longer in preview. Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the upgrading guide.
Security and Standards
JWT Authorization Grant (supported)
JWT Authorization Grant (RFC 7523) is designed to implement external-to-internal token exchange use cases. This grant allows using externally signed JWT assertions to request OAuth 2.0 access tokens.
In this release, JWT Authorization Grant is promoted from preview to supported. See the JWT Authorization Grant guide for additional details.
Federated client authentication (supported)
Federated client authentication allows clients to leverage existing credentials once a trust relationship with another issuer exists. It eliminates the need to assign and manage individual secrets for each client in Keycloak.
Federated client authentication is now promoted to supported, including support for client assertions issued by external OpenID Connect identity providers and Kubernetes Service Accounts.
Since the OAuth SPIFFE Client Authentication specification is still in draft status, this feature remains a preview feature in Keycloak.
New guide about Demonstrating Proof-of-Possession (DPoP)
A new guide for OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) in the Securing applications Guides provides information on how to mitigate the risk of stolen tokens by making tokens sender-constrained.
See Securing applications with DPoP for more details.
Identity Brokering APIs V2 (preview)
A new preview version 2 for the Identity Brokering APIs is introduced in this release. When brokering is used during the authentication process, Keycloak allows you to store tokens and responses issued by the external Identity Provider. Applications can call a specific endpoint to retrieve those tokens, which, in turn, can be used to get extra user information or invoke endpoints in the external trust domain. The new version improves the token retrieval endpoint to substitute the internal to external Token Exchange (use case for the legacy Token Exchange V1).
For more information, see the chapter Identity Brokering APIs in the Server Developer Guide.
Step-up authentication for SAML (preview)
The feature step-up-authentication-saml extends the step-up authentication to include the SAML protocol and clients. This feature is in preview mode. Additional information is available in the Server Administration Guide.
OAuth Client ID Metadata Document (experimental)
OAuth Client ID Metadata Document (CIMD) is an emerging standard that defines a JSON document format for describing OAuth 2.0 client metadata. Since version 2025-11-25, the Model Context Protocol (MCP) requires an authorization server to comply with CIMD. Keycloak now includes experimental support for CIMD, allowing it to serve as an authorization server for MCP version 2025-11-25 or later.
See Integrating with Model Context Protocol (MCP) for the updated guide including CIMD.
Many thanks to Takashi Norimatsu for the contribution.
Administration
Workflows (supported)
Workflows allow administrators to automate and orchestrate realm administrative tasks, bringing key capabilities of Identity Governance and Administration (IGA) to Keycloak. By defining workflows in YAML format, you can automate the lifecycle of realm resources such as users and clients based on events, conditions, and schedules.
In this release, Workflows is promoted from preview to supported. This release also includes new built-in steps, a troubleshooting guide, and various improvements to the workflow engine.
For more details, see the Managing workflows chapter in the Server Administration Guide.
Organization groups
Organizations now support isolated group hierarchies, allowing each organization to manage its own teams and departments without naming conflicts across the realm. This update includes Identity Provider mappers to automatically assign federated users to organization groups based on external claims. Group membership is automatically included in OIDC tokens and SAML assertions when an organization context is requested.
For more details, see the Managing organization groups guide.
New Groups scope for user membership changes
Fine-Grained Admin Permissions (FGAP) now includes a new Groups scope: manage-membership-of-members.
This scope is now used as the group-side bridge for evaluating user-side manage-group-membership permissions based on a user’s current group memberships.
The existing manage-membership scope keeps its current behavior for target group membership management operations.
Looking up client secrets via the Vault SPI
Secrets for clients can now be managed and looked up by the Vault SPI.
Thank you to Tero Saarni for contributing this change.
Forcing password change for LDAP users
There is now initial support for LDAP password policy control. The support is limited to prompting users to update their password when the LDAP server indicates that the password must be changed. Previously, Keycloak let the user in and ignored the mandatory password reset. There is a new optional setting “Enable LDAP password policy” in the LDAP advanced settings to enable this.
Thank you to Tero Saarni for contributing this change.
Configuring and Running
Java 25 support
Keycloak now supports running with OpenJDK 25. The server container image continues to use OpenJDK 21 for now to support FIPS mode. For details, see the note in the FIPS guide.
Zero-downtime patch releases (supported)
Zero-downtime patch releases allow you to perform rolling updates when upgrading to a newer patch version within the same major.minor release stream without service downtime.
Contributors
Assets 23
26.5.7
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #45493 CVE-2025-14083 keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure
admin/api - #45569 CVE-2026-1002 - io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files
- #47069 CVE-2026-3429 Improper Access Control for LoA During Credential Deletion
account/api - #47716 CVE-2026-4634 Keycloak Application-Level DoS via Scope Processing
- #47717 CVE-2026-4636 UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
- #47718 CVE-2026-3872 Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
- #47719 CVE-2026-4282 Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
Enhancements
- #46631 Upgrade to Quarkus 3.27.3
dist/quarkus
Bugs
- #45204 Call without Host header throws uncaught error
core
26.5.6
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #45645 CVE-2026-1180 - Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri
oidc - #45647 CVE-2026-1035 - Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition
oidc - #45650 CVE-2025-14777 - Keycloak IDOR in realm client creating/deleting
- #45653 CVE-2025-14082 keycloak-server: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure
- #46719 CVE-2026-3121 - Keycloak: Privilege escalation via manage-clients permission
- #46723 CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API
core - #46922 CVE-2026-3911 Keycloak: Information disclosure of disabled user attributes via administrative endpoint
user-profile - #47062 CVE-2026-2366 Authorization Bypass: Unprivileged tokens can enumerate user organization memberships
organizations
Bugs
- #45889 Federated user disabled when external DB unavailable, never re-enabled
storage - #46239 AUTH_SESSION_ID cookie reuse causes cross-user session contamination on re-authentication
authentication - #46296 UsersResource.search briefRepresentation started to return user attributes
admin/api - #46379 Unexpected error when logging out with offline session and external IDP
oidc - #46459 Operator-built DB config: targetServerType=primary not applied / connection validation not working after master-replica failover (26.5.0)
operator - #46588 Partial LDAP sync duration does not follow the defined value in user federation
ldap - #46605 26.5.4 startup regression with many realms: RealmCacheSession.prepareCachedRealm() scans master admin role composites per realm (O(N²))
core - #46656 Em-Hyphens in SPI options on cache configuration page
docs - #46663 JGroups bind port configuration ignored when --cache-embedded-network-bind-port set
infinispan - #46669 SPIFFE Client assertion throws a NullPointerException if no client is found
token-exchange - #47079 Do not allow fetching organizations of a member if not a member of the current organization
organizations
26.5.5
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #46909 CVE-2026-3047 SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login
- #46910 CVE-2026-3009 Improper Enforcement of Disabled Identity Provider in IdentityBrokerService
- #46911 CVE-2026-2603 Disabled SAML IdP still allows IdP-initiated broker login
- #46912 CVE-2026-2092 saml broker encrypted assertion injection
26.5.4
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #45646 CVE-2026-1190 - Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData
saml - #45649 CVE-2026-0707: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass
- #45776 CVE-2025-5416 keycloak-core: Keycloak Environment Information
- #46372 CVE-2026-2575 - Denial of Service due to excessive SAMLRequest decompression
saml - #46462 CVE-2026-2733 Missing Check on Disabled Client for Docker Registry Protocol
Enhancements
- #46090 New key affinity for session ids
Bugs
- #44488 "Update email" AIA: "Back to Application" URL invokes OIDC callback with missing parameters
oidc - #45065 Client deletion timeout due to large number of client roles
storage - #45680 auth_mellon (SAML) authentication fails after upgrade to 26.5.1 (from 26.4.6)
saml - #45728 Information Disclosure of Client Secret on Unauthenticated Config Endpoint
oidc - #45874 Disabled organizations still resolve in organization‑aware login flows
organizations - #45966 KeycloakRealmImport: Realm created in DB but not visible in Admin Console until restart
operator - #45980 Keycloak cluster with 3 nodes and jdbc-ping stack fails to rejoin after temporary network partition
infinispan - #46100 Makes Database Query on Every Login Page Load Instead of Using Cache
infinispan - #46150 Move upgrading note for SAML to 26.5.4
docs - #46178 Regression: cannot authenticate in keycloak-admin-client
adapter/javascript - #46290 Incorrect code used error, leading to "400 / Code already used" during Infinispan state transfers
infinispan - #46303 JWT Authorization Grant: Always getting “Token was issued too far in the past to be used now” for EntraID issued tokens
oidc - #46312 io.fabric8:docker-maven-plugin:0.40.3:start failed: Cannot invoke "com.google.gson.JsonElement.isJsonNull()" because the return value of "com.google.gson.JsonObject.get(String)" is null
ci
26.5.3
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #46144 CVE-2026-1609 Disabled users can still obtain tokens via JWT Authorization Grant
- #46145 CVE-2026-1529 Forged invitation JWT enables cross-organization self-registration
- #46146 CVE-2026-1486 Logic Bypass in JWT Authorization Grant Allows Authentication via Disabled Identity Providers
- #46147 CVE-2025-14778 Incorrect ownership checks in /uma-policy/
Enhancements
- #45892 Upgrade minikube for CI tests
operator
Bugs
- #44379 Node.js admin client does not refresh tokens
admin/client-js - #45459 k8s multiple restart (oomkilled) in v26.5.0-0 during startup because of RAM
dist/quarkus - #45662 Increase in startup memory consumption in post 26.5 versions
dist/quarkus - #45677 Hibernate Validator is enabled by default when not used
dist/quarkus - #45708 Unpexted value '' in mixed-cluster-compatibility-tests
testsuite - #45745 mixed-cluster-compatibility-tests fail due to incorrectly masked content in 26.5 branch
ci - #45755 Broken YAML indentation in operator rolling updates doc
docs - #45780 Remove fatal log messages from `ConsistentHash`