Keycloak - Package Updates

Package Updates

[1.3.5]

• Update keycloak to 26.3.5
• Full Changelog

Package Updates

[1.4.0]

• Update keycloak to 26.4.0
• Full Changelog
• Passkeys for seamless, passwordless authentication of users.
• Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
• Simplified deployments across multiple availability zones to boost availability.
• FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
• DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.
• FIPS 140-2 mode now supports EdDSA
• Listing supported OAuth standards on one page
• Automatic certificate management for SAML clients
• Update Email Workflow (supported)
• Optional email domain for organizations

Package Updates

[1.4.1]

• Update keycloak to 26.4.1
• Full Changelog
• #​43020 Secure Client-Initiated Renegotiation - disable by default dist/quarkus
• #​42990 Hide read-only email attribute in update profile context with update email enabled user-profile
• #​43357 JDBC_PING should publish its physical address on startup
• #​40965 Group permission denies to view user admin/fine-grained-permissions
• #​41292 openid-connect flow is missing response type on language change authentication
• #​42565 Standard Token Exchange: chain of exchanges eventually fails token-exchange
• #​42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+) admin/ui
• #​42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion authorization-services
• #​43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types core
• #​43070 Update email page with pending verification email messages prefilled with old email user-profile

Package Updates

[1.4.2]

• Update keycloak to 26.4.2
• Full Changelog
• #43351 Make pending email verification attribute removable by admin user-profile
• #43650 SPIFFE should support OIDC JWK endpoint
• #30939 Vulnerability in brute force detection settings authentication
• #43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon identity-brokering
• #43244 UI crash on admin /users/add-user since 26.4.0 admin/ui
• #43561 Server does not shutdown gracefully when started with --optimized core

Package Updates

[1.4.3]

• Update keycloak to 26.4.4
• Full Changelog
• #10388 Allow to hide client scopes from scopes_supported in discovery endpoint
• #43076 Add rate limiter for sending verification emails in context of update email
• #43509 Role authorization for workflows. admin/api
• #41270 Cannot save new attribute group admin/ui
• #41271 Changing user profile attribute results in an error everytime admin/ui
• #43082 ExternalLinksTest is broken due to missing path parameters docs
• #43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login login/ui
• #43160 Regression in DEBUG_PORT handling since 26.4.0 host binding (*:port / 0.0.0.0:port) no longer works dist/quarkus
• #43460 FGAP/UI: reset-password succeeds but UI shows 403 without Users:manage admin/fine-grained-permissions
• #43505 DPoP proof replay check doesn't consider clock skew oidc

Package Updates

[1.4.4]

• Update keycloak to 26.4.5
• Full Changelog
• #​43564 Invalid liquibase check sum for jpa-changelog-2.5.0.xml <code>core</code>
• #​43718 Email Not Persisted During Registration When "Email as Username" is Enabled and User Edit Permission is Disabled <code>user-profile</code>
• #​43793 import does not seem to run db migration <code>import-export</code>
• #​43883 Creating group policy on a client uses "manage-clients" role if FGAP V1 is disabled <code>authorization-services</code>
• #​44010 Ordering attributes will unset the unmanaged attribute policy <code>user-profile</code>
• #​44031 Can't build keycloak 26.4.4 with quarkus.launch.rebuild=true <code>dist/quarkus</code>
• #​44056 Allow only normalized URLs in requests caused a regression in view authz permission details in Admin Consol <code>admin/ui</code>

Package Updates

[1.4.5]

• Update keycloak to 26.4.6
• Full Changelog
• This release adds filtering of LDAP referrals by default.
• #43323 Sessions not removed when user is deleted infinispan
• #43738 UPDATE_EMAIL action invalidates old email login/ui
• #43812 Admin console sends non-JSON payload with content-type: application/json admin/ui
• #44125 Double-encoding of query parameter values (e.g. acr_values) for version 26.4 identity-brokering
• #44189 [jdbc-ping] SQLIntegrityConstraintViolationException: Duplicate entry infinispan
• #44229 Unexpected FORMAT_FAILURE error when using cache-config-file with feature-disabled=persistent-user-sessions infinispan
• #44269 Admin Client creates malformed paths for requests admin/client-js
• #44287 Caching of static theme resources in dev mode is disabled core

Package Updates

[1.4.6]

• Update keycloak to 26.4.7
• Full Changelog
• #43156 [Docs] Warn users about printing headers in HTTP access logs docs
• #43643 Upgrade to Quarkus 3.27.1 dist/quarkus
• #44438 Intermittent ConcurrentModificationException during SAML initialization causing status code 400 for clients saml
• #44480 Wrong persistent group permissions when multiple group membership changes happen in the same request core

Package Updates

[1.5.0]

• Update keycloak to 26.5.0
• Full Changelog
• Workflows to automate administrative tasks and process within a realm.
• JWT Authorization Grants, our recommended alternative to external to internal token exchange.
• Guide for using Keycloak as an authorization server for Model Context Protocol (MCP) servers.
• Authenticating clients with Kubernetes service account tokens to avoid static client secrets.
• OpenTelemetry support for metrics and logging, combining all observability information in this popular standard.
• CORS (Cross Origin Resource Sharing) is a browser security feature that controls how web pages on one domain can request resources from a different domain.
• For the OpenID Connect Dynamic Client Registration, you can now specify which CORS headers are allowed via the client registration access policies.
• For the overall CORS configuration, you can now allow environment specific headers to be allowed using the SPI option spi-cors--default--allowed-headers.
• The client logout configuration now includes an option to show a logout confirmation page. When enabled, users will see a You are logged out confirmation page upon successful logout.
• Previously, all scopes of an OpenID Connect client were advertised in the discovery endpoint.

Package Updates

[1.5.1]

• Update keycloak to 26.5.1
• Full Changelog
• #​44863 x-robots HTTP header missing for static Keycloak resources, and REST endpoint responses
• #​45009 Performance improvement: Missing indexes on BROKER_LINK table columns
• #​45182 Allow full managing of realms from master realm without global admin role
• #​43975 Test Framework -> Embedded server -> Maven execution failure: Failed to read script file from: scripts/default-policy.js <code>test-framework</code>
• #​44371 403 Forbidden when assigning realm-management client roles despite FGAP disabled (regression in 26.4.0+) <code>admin/fine-grained-permissions</code>
• #​44417 Security issue with Organization feature exposes and fills the account name automatically in user/password form <code>organizations</code>
• #​44783 Create Realm button is missing when user has create-realm role <code>admin/ui</code>
• #​44860 Admin UI: slow response time listing second user page <code>admin/ui</code>
• #​45003 Bug in JWTClientAuthenticator and JWTClientSecretAuthenticator causes NPE <code>authentication</code>
• #​45093 Enable visibility of Role Mapping tab for users with view-users role <code>admin/ui</code>

Package Updates

[1.5.2]

• Update keycloak to 26.5.2
• Full Changelog
• #​44994 CVE-2025-67735 - netty-codec-http: Request Smuggling via CRLF Injection dependencies
• #​43443 Keycloak should warn when ISPN or JGROUPS is running in debug level logging
• #​45498 Ignore OpenAPI artifacts when disabled dist/quarkus
• #​44785 Can not get through SSO login if using a custom attribute with default value user-profile
• #​45015 Deadlock in Infinispan virtual threads infinispan
• #​45250 IDToken contains duplicate address claims oidc
• #​45333 User admin events don't show role, group mapping, reset password like events admin/ui
• #​45396 Database Migration fails when updating to 26.5.0 on MS SQL core
• #​45415 cache-remote-host becomes mandatory at build time when using clusterless feature infinispan
• #​45417 Unmanaged Attributes Type (Only administrators can view) allows admin API to set Unmanaged Attributes user-profile

Package Updates

[1.5.3]

• Update keycloak to 26.5.3
• Full Changelog
• 46144 CVE-2026-1609 Disabled users can still obtain tokens via JWT Authorization Grant
• 46145 CVE-2026-1529 Forged invitation JWT enables cross-organization self-registration
• 46146 CVE-2026-1486 Logic Bypass in JWT Authorization Grant Allows Authentication via Disabled Identity Providers
• 46147 CVE-2025-14778 Incorrect ownership checks in /uma-policy/
• 45892 Upgrade minikube for CI tests operator
• 44379 Node.js admin client does not refresh tokens admin/client-js
• 45459 k8s multiple restart (oomkilled) in v26.5.0-0 during startup because of RAM dist/quarkus
• 45662 Increase in startup memory consumption in post 26.5 versions dist/quarkus
• 45677 Hibernate Validator is enabled by default when not used dist/quarkus
• 45708 Unpexted value '' in mixed-cluster-compatibility-tests testsuite

Package Updates

[1.5.4]

• Update keycloak to 26.5.4
• Full Changelog
• CVE-2026-1190 - Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData saml
• CVE-2026-0707: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass
• CVE-2025-5416 keycloak-core: Keycloak Environment Information
• CVE-2026-2575 - Denial of Service due to excessive SAMLRequest decompression saml
• CVE-2026-2733 Missing Check on Disabled Client for Docker Registry Protocol
• New key affinity for session ids
• "Update email" AIA: "Back to Application" URL invokes OIDC callback with missing parameters oidc
• Client deletion timeout due to large number of client roles storage
• auth_mellon (SAML) authentication fails after upgrade to 26.5.1 (from 26.4.6) saml
• Information Disclosure of Client Secret on Unauthenticated Config Endpoint oidc

Package Updates

[1.5.5]

• Update keycloak to 26.5.5
• Full Changelog
• <a href="https://github.com/keycloak/keycloak/issues/46909">#​46909</a> CVE-2026-3047 SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login </li>
• <a href="https://github.com/keycloak/keycloak/issues/46910">#​46910</a> CVE-2026-3009 Improper Enforcement of Disabled Identity Provider in IdentityBrokerService </li>
• <a href="https://github.com/keycloak/keycloak/issues/46911">#​46911</a> CVE-2026-2603 Disabled SAML IdP still allows IdP-initiated broker login </li>
• <a href="https://github.com/keycloak/keycloak/issues/46912">#​46912</a> CVE-2026-2092 saml broker encrypted assertion injection </li>