Skip to content

26.5.7

Choose a tag to compare

View all tags
@keycloak-bot keycloak-bot released this 02 Apr 14:47
· 1437 commits to main since this release
26.5.7
97c2dad

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #45493 CVE-2025-14083 keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure admin/api
  • #45569 CVE-2026-1002 - io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files
  • #47069 CVE-2026-3429 Improper Access Control for LoA During Credential Deletion account/api
  • #47716 CVE-2026-4634 Keycloak Application-Level DoS via Scope Processing
  • #47717 CVE-2026-4636 UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
  • #47718 CVE-2026-3872 Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
  • #47719 CVE-2026-4282 Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

Enhancements

  • #46631 Upgrade to Quarkus 3.27.3 dist/quarkus

Bugs

  • #45204 Call without Host header throws uncaught error core
Assets 23
Loading