Keycloak - Package Updates

Reply to Keycloak - Package Updates on Thu, 09 Apr 2026 10:01:50 GMT

Package Updates — Thu, 09 Apr 2026 10:01:50 GMT

[1.6.0]

Update keycloak to 26.6.0
Full Changelog
JWT Authorization Grant, enabling external-to-internal token exchange using externally signed JWT assertions.
Federated client authentication, eliminating the need to manage individual client secrets in Keycloak.
Workflows, enabling administrators to automate realm administrative tasks such as user and client lifecycle management.
Zero-downtime patch releases, allowing rolling updates within a minor release stream without service downtime.
The Keycloak Test Framework, replacing the previous Arquillian-based solution.
JWT Authorization Grant (supported)
Federated client authentication (supported)
New guide about Demonstrating Proof-of-Possession (DPoP)
Identity Brokering APIs V2 (preview)
Step-up authentication for SAML (preview)

Reply to Keycloak - Package Updates on Thu, 02 Apr 2026 15:23:38 GMT

Package Updates — Thu, 02 Apr 2026 15:23:38 GMT

[1.5.7]

Update keycloak to 26.5.7
Full Changelog

Reply to Keycloak - Package Updates on Fri, 20 Mar 2026 07:28:18 GMT

Package Updates — Fri, 20 Mar 2026 07:28:18 GMT

[1.5.6]

Update keycloak to 26.5.6
Full Changelog
CVE-2026-1180 - Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri oidc
CVE-2026-1035 - Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition oidc
CVE-2025-14777 - Keycloak IDOR in realm client creating/deleting
CVE-2025-14082 keycloak-server: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure
CVE-2026-3121 - Keycloak: Privilege escalation via manage-clients permission
CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API core
CVE-2026-3911 Keycloak: Information disclosure of disabled user attributes via administrative endpoint user-profile
CVE-2026-2366 Authorization Bypass: Unprivileged tokens can enumerate user organization memberships organizations
Federated user disabled when external DB unavailable, never re-enabled storage
AUTH_SESSION_ID cookie reuse causes cross-user session contamination on re-authentication authentication

Reply to Keycloak - Package Updates on Fri, 06 Mar 2026 03:08:02 GMT

Package Updates — Fri, 06 Mar 2026 03:08:02 GMT

[1.5.5]

Update keycloak to 26.5.5
Full Changelog
https://github.com/keycloak/keycloak/issues/46909">#46909 CVE-2026-3047 SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login
https://github.com/keycloak/keycloak/issues/46910">#46910 CVE-2026-3009 Improper Enforcement of Disabled Identity Provider in IdentityBrokerService
https://github.com/keycloak/keycloak/issues/46911">#46911 CVE-2026-2603 Disabled SAML IdP still allows IdP-initiated broker login
https://github.com/keycloak/keycloak/issues/46912">#46912 CVE-2026-2092 saml broker encrypted assertion injection

Reply to Keycloak - Package Updates on Fri, 20 Feb 2026 14:03:01 GMT

Package Updates — Fri, 20 Feb 2026 14:03:01 GMT

[1.5.4]

Update keycloak to 26.5.4
Full Changelog
CVE-2026-1190 - Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData saml
CVE-2026-0707: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass
CVE-2025-5416 keycloak-core: Keycloak Environment Information
CVE-2026-2575 - Denial of Service due to excessive SAMLRequest decompression saml
CVE-2026-2733 Missing Check on Disabled Client for Docker Registry Protocol
New key affinity for session ids
"Update email" AIA: "Back to Application" URL invokes OIDC callback with missing parameters oidc
Client deletion timeout due to large number of client roles storage
auth_mellon (SAML) authentication fails after upgrade to 26.5.1 (from 26.4.6) saml
Information Disclosure of Client Secret on Unauthenticated Config Endpoint oidc

Reply to Keycloak - Package Updates on Wed, 11 Feb 2026 10:05:41 GMT

Package Updates — Wed, 11 Feb 2026 10:05:41 GMT

[1.5.3]

Update keycloak to 26.5.3
Full Changelog
46144 CVE-2026-1609 Disabled users can still obtain tokens via JWT Authorization Grant
46145 CVE-2026-1529 Forged invitation JWT enables cross-organization self-registration
46146 CVE-2026-1486 Logic Bypass in JWT Authorization Grant Allows Authentication via Disabled Identity Providers
46147 CVE-2025-14778 Incorrect ownership checks in /uma-policy/
45892 Upgrade minikube for CI tests operator
44379 Node.js admin client does not refresh tokens admin/client-js
45459 k8s multiple restart (oomkilled) in v26.5.0-0 during startup because of RAM dist/quarkus
45662 Increase in startup memory consumption in post 26.5 versions dist/quarkus
45677 Hibernate Validator is enabled by default when not used dist/quarkus
45708 Unpexted value '' in mixed-cluster-compatibility-tests testsuite

Reply to Keycloak - Package Updates on Fri, 23 Jan 2026 16:45:27 GMT

Package Updates — Fri, 23 Jan 2026 16:45:27 GMT

[1.5.2]

Update keycloak to 26.5.2
Full Changelog
#44994 CVE-2025-67735 - netty-codec-http: Request Smuggling via CRLF Injection dependencies
#43443 Keycloak should warn when ISPN or JGROUPS is running in debug level logging
#45498 Ignore OpenAPI artifacts when disabled dist/quarkus
#44785 Can not get through SSO login if using a custom attribute with default value user-profile
#45015 Deadlock in Infinispan virtual threads infinispan
#45250 IDToken contains duplicate address claims oidc
#45333 User admin events don't show role, group mapping, reset password like events admin/ui
#45396 Database Migration fails when updating to 26.5.0 on MS SQL core
#45415 cache-remote-host becomes mandatory at build time when using clusterless feature infinispan
#45417 Unmanaged Attributes Type (Only administrators can view) allows admin API to set Unmanaged Attributes user-profile

Reply to Keycloak - Package Updates on Wed, 14 Jan 2026 20:54:55 GMT

Package Updates — Wed, 14 Jan 2026 20:54:55 GMT

[1.5.1]

Update keycloak to 26.5.1
Full Changelog
#44863 x-robots HTTP header missing for static Keycloak resources, and REST endpoint responses
#45009 Performance improvement: Missing indexes on BROKER_LINK table columns
#45182 Allow full managing of realms from master realm without global admin role
#43975 Test Framework -> Embedded server -> Maven execution failure: Failed to read script file from: scripts/default-policy.js test-framework
#44371 403 Forbidden when assigning realm-management client roles despite FGAP disabled (regression in 26.4.0+) admin/fine-grained-permissions
#44417 Security issue with Organization feature exposes and fills the account name automatically in user/password form organizations
#44783 Create Realm button is missing when user has create-realm role admin/ui
#44860 Admin UI: slow response time listing second user page admin/ui
#45003 Bug in JWTClientAuthenticator and JWTClientSecretAuthenticator causes NPE authentication
#45093 Enable visibility of Role Mapping tab for users with view-users role admin/ui

Reply to Keycloak - Package Updates on Tue, 06 Jan 2026 08:52:38 GMT

Package Updates — Tue, 06 Jan 2026 08:52:38 GMT

[1.5.0]

Update keycloak to 26.5.0
Full Changelog
Workflows to automate administrative tasks and process within a realm.
JWT Authorization Grants, our recommended alternative to external to internal token exchange.
Guide for using Keycloak as an authorization server for Model Context Protocol (MCP) servers.
Authenticating clients with Kubernetes service account tokens to avoid static client secrets.
OpenTelemetry support for metrics and logging, combining all observability information in this popular standard.
CORS (Cross Origin Resource Sharing) is a browser security feature that controls how web pages on one domain can request resources from a different domain.
For the OpenID Connect Dynamic Client Registration, you can now specify which CORS headers are allowed via the client registration access policies.
For the overall CORS configuration, you can now allow environment specific headers to be allowed using the SPI option spi-cors--default--allowed-headers.
The client logout configuration now includes an option to show a logout confirmation page. When enabled, users will see a You are logged out confirmation page upon successful logout.
Previously, all scopes of an OpenID Connect client were advertised in the discovery endpoint.

Reply to Keycloak - Package Updates on Tue, 02 Dec 2025 08:14:37 GMT

Package Updates — Tue, 02 Dec 2025 08:14:37 GMT

[1.4.6]

Update keycloak to 26.4.7
Full Changelog
#43156 [Docs] Warn users about printing headers in HTTP access logs docs
#43643 Upgrade to Quarkus 3.27.1 dist/quarkus
#44438 Intermittent ConcurrentModificationException during SAML initialization causing status code 400 for clients saml
#44480 Wrong persistent group permissions when multiple group membership changes happen in the same request core

Reply to Keycloak - Package Updates on Wed, 26 Nov 2025 07:32:15 GMT

Package Updates — Wed, 26 Nov 2025 07:32:15 GMT

[1.4.5]

Update keycloak to 26.4.6
Full Changelog
This release adds filtering of LDAP referrals by default.
#43323 Sessions not removed when user is deleted infinispan
#43738 UPDATE_EMAIL action invalidates old email login/ui
#43812 Admin console sends non-JSON payload with content-type: application/json admin/ui
#44125 Double-encoding of query parameter values (e.g. acr_values) for version 26.4 identity-brokering
#44189 [jdbc-ping] SQLIntegrityConstraintViolationException: Duplicate entry infinispan
#44229 Unexpected FORMAT_FAILURE error when using cache-config-file with feature-disabled=persistent-user-sessions infinispan
#44269 Admin Client creates malformed paths for requests admin/client-js
#44287 Caching of static theme resources in dev mode is disabled core

Reply to Keycloak - Package Updates on Thu, 13 Nov 2025 08:04:38 GMT

Package Updates — Thu, 13 Nov 2025 08:04:38 GMT

[1.4.4]

Update keycloak to 26.4.5
Full Changelog
#43564 Invalid liquibase check sum for jpa-changelog-2.5.0.xml core
#43718 Email Not Persisted During Registration When "Email as Username" is Enabled and User Edit Permission is Disabled user-profile
#43793 import does not seem to run db migration import-export
#43883 Creating group policy on a client uses "manage-clients" role if FGAP V1 is disabled authorization-services
#44010 Ordering attributes will unset the unmanaged attribute policy user-profile
#44031 Can't build keycloak 26.4.4 with quarkus.launch.rebuild=true dist/quarkus
#44056 Allow only normalized URLs in requests caused a regression in view authz permission details in Admin Consol admin/ui

Reply to Keycloak - Package Updates on Sat, 08 Nov 2025 07:57:16 GMT

Package Updates — Sat, 08 Nov 2025 07:57:16 GMT

[1.4.3]

Update keycloak to 26.4.4
Full Changelog
#10388 Allow to hide client scopes from scopes_supported in discovery endpoint
#43076 Add rate limiter for sending verification emails in context of update email
#43509 Role authorization for workflows. admin/api
#41270 Cannot save new attribute group admin/ui
#41271 Changing user profile attribute results in an error everytime admin/ui
#43082 ExternalLinksTest is broken due to missing path parameters docs
#43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login login/ui
#43160 Regression in DEBUG_PORT handling since 26.4.0 host binding (*:port / 0.0.0.0:port) no longer works dist/quarkus
#43460 FGAP/UI: reset-password succeeds but UI shows 403 without Users:manage admin/fine-grained-permissions
#43505 DPoP proof replay check doesn't consider clock skew oidc

Reply to Keycloak - Package Updates on Fri, 24 Oct 2025 07:54:37 GMT

Package Updates — Fri, 24 Oct 2025 07:54:37 GMT

[1.4.2]

Update keycloak to 26.4.2
Full Changelog
#43351 Make pending email verification attribute removable by admin user-profile
#43650 SPIFFE should support OIDC JWK endpoint
#30939 Vulnerability in brute force detection settings authentication
#43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon identity-brokering
#43244 UI crash on admin /users/add-user since 26.4.0 admin/ui
#43561 Server does not shutdown gracefully when started with --optimized core

Reply to Keycloak - Package Updates on Thu, 16 Oct 2025 17:09:51 GMT

Package Updates — Thu, 16 Oct 2025 17:09:51 GMT

[1.4.1]

Update keycloak to 26.4.1
Full Changelog
#43020 Secure Client-Initiated Renegotiation - disable by default dist/quarkus
#42990 Hide read-only email attribute in update profile context with update email enabled user-profile
#43357 JDBC_PING should publish its physical address on startup
#40965 Group permission denies to view user admin/fine-grained-permissions
#41292 openid-connect flow is missing response type on language change authentication
#42565 Standard Token Exchange: chain of exchanges eventually fails token-exchange
#42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+) admin/ui
#42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion authorization-services
#43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types core
#43070 Update email page with pending verification email messages prefilled with old email user-profile

Reply to Keycloak - Package Updates on Wed, 01 Oct 2025 00:39:00 GMT

Package Updates — Wed, 01 Oct 2025 00:39:00 GMT

[1.4.0]

Update keycloak to 26.4.0
Full Changelog
Passkeys for seamless, passwordless authentication of users.
Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
Simplified deployments across multiple availability zones to boost availability.
FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.
FIPS 140-2 mode now supports EdDSA
Listing supported OAuth standards on one page
Automatic certificate management for SAML clients
Update Email Workflow (supported)
Optional email domain for organizations

Reply to Keycloak - Package Updates on Thu, 25 Sep 2025 07:49:19 GMT

Package Updates — Thu, 25 Sep 2025 07:49:19 GMT

[1.3.5]

Update keycloak to 26.3.5
Full Changelog

Reply to Keycloak - Package Updates on Sat, 13 Sep 2025 12:29:55 GMT

Package Updates — Sat, 13 Sep 2025 12:29:55 GMT

[1.3.4]

Update keycloak to 26.3.4
Full Changelog
#40630 Double check when working with multithreading. SAST
#42245 Upgrade to Quarkus 3.20.2.2
#35825 Per client session idle time capped by realm level client idle timeout core
#40374 Random but frequent duplicate key value violates unique constraint "constraint_offl_us_ses_pk2" errors authentication
#40463 Login to Account Console produces two consecutive LOGIN events account/ui
#40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow oidc
#41427 Parallel token exchange fails if client session is expired token-exchange
#41801 Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen) core
#41942 Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider) core
#42012 Client session timestamp not updated in the database if running multiple nodes infinispan

Reply to Keycloak - Package Updates on Thu, 21 Aug 2025 07:54:15 GMT

Package Updates — Thu, 21 Aug 2025 07:54:15 GMT

[1.3.3]

Update keycloak to 26.3.3
Full Changelog
#39562 Breaking template change: Unknown locale input field added to user-profile registration page user-profile
#40984 Backchannel logout token with an unexpected signature algorithm key oidc
#41023 Can't send e-mails to international e-mail addresses: bad UTF-8 syntax core
#41098 Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token core
#41268 --optimized flag and providers jar are incompatible when used with tools changing last-modify-date dist/quarkus
#41290 Concurrent starts with JDBC_PING lead to a split cluster infinispan
#41390 JDBC_PING2 doesn't merge split clusters after a while infinispan
#41421 Broken link securing-cache-communication in caching docs docs
#41423 Duplicate IDs in generated all configuration docs docs
#41469 Uncaught exception cases unclosed spans in tracing dist/quarkus

Reply to Keycloak - Package Updates on Fri, 25 Jul 2025 13:25:54 GMT

Package Updates — Fri, 25 Jul 2025 13:25:54 GMT

[1.3.2]

Update keycloak to 26.3.2
Full Changelog
#40237 Add option "Requires short state parameter" to OIDC IDP authentication
#40970 Run clustering compatibility tests on release/x.y branches
#41034 Improve logging for client sessions load
#41257 Upgrade to Infinispan 15.0.18.Final infinispan
#39634 Update MariaDB connector to 3.5.3 dist/quarkus
#40553 Upgrade org.postgresql:postgresql to version 42.7.7 to address CVE-2025-49146 dependencies
#40736 CVE-2025-49574 - Exposure of Resource to Wrong Sphere vulnerability in io.vertx:vertx-core dependencies
#40784 Default jdbc-ping cluster setup for distributed caches fails in Oracle infinispan
#40980 Can't update security-admin-console via admin UI with volatile sessions infinispan
#40995 LDAP / ModelException: At least one condition should be provided to OR query core

Reply to Keycloak - Package Updates on Thu, 10 Jul 2025 07:23:25 GMT

Package Updates — Thu, 10 Jul 2025 07:23:25 GMT

[1.3.1]

Update keycloak to 26.3.1
Full Changelog

Reply to Keycloak - Package Updates on Fri, 04 Jul 2025 07:20:28 GMT

Package Updates — Fri, 04 Jul 2025 07:20:28 GMT

[1.3.0]

Update keycloak to 26.3.0
Full Changelog
Account recovery with 2FA recovery codes, protecting users from lockout.
Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions.
Broader connectivity with the ability to broker with any OAuth 2.0 compliant authorization server, and enhanced trusted email verification for OpenID Connect providers.
Asynchronous logging for higher throughput and lower latency, ensuring more efficient deployments.
For administrators, experimental rolling updates for patch releases mean minimized downtime and smoother upgrades.
The custom protocol, which was previously used for client-initiated account linking, is now deprecated.
#21995 Configurable probes in the Operator operator
#29116 Add supported config options for additional datasources dist/quarkus
#29596 Passkeys conditional UI: integration with username/password form authentication/webauthn
#38465 Name for OTP device should be unique account/api
#38985 Possibility to log details and representation to the jboss-logging listener

Reply to Keycloak - Package Updates on Wed, 28 May 2025 09:23:46 GMT

Package Updates — Wed, 28 May 2025 09:23:46 GMT

[1.2.5]

Update keycloak to 26.2.5
Full Changelog
Fix Securing Apps links to adapters docs
Email server credentials can be harvested through host/port manipulation admin/api
Fix doc link to FGAP v1 docs
Apply edits to Operators Guide docs
Edit Observability Guide docs
Fix callouts in Operator guide docs
Sessions from Infinispan should be mapped lazily for the Admin UI
Speed up Infinispan list of all sessions be more eagerly remove old client sessions
When logging in, all client sessions are loaded which is slow oidc
Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc

Reply to Keycloak - Package Updates on Fri, 09 May 2025 07:21:03 GMT

Package Updates — Fri, 09 May 2025 07:21:03 GMT

[1.2.4]

Update keycloak to 26.2.4
Full Changelog
#35278 Double click on social provider link causes page has expired error login/ui
#39021 After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp value oidc
#39023 Keycloak 26.2.0 UI Performance Degradation admin/ui
#39173 duplicate key value violates unique constraint "constraint_offl_cl_ses_pk3" infinispan
#39454 JGroups errors when running a containerized Keycloak in Strict FIPS mode and with Istio infinispan
#39500 Update Job Pod is listed in the keycloak discovery service operator