Keycloak - Package Updates
-
[1.6.2]
- Update keycloak to 26.6.2
- Full Changelog
- #47485 CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service
- #47486 CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing
- #47932 [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters
authorization-services - #48049 [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler
organizations - #48329 JDBC_PING in 26.6 should not fail with 26.7 schema changes
- #48348 Escape expressions in JS blocks in FTL pages
- #38526 Duplicate user attribute values cannot be removed
core - #47901 Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled
admin/fine-grained-permissions - #48040 User session limit generates fatal error
authentication - #48185 Deleted workflow still attempting to run
workflows
-
[1.6.3]
- Update keycloak to 26.6.3
- Full Changelog
- #47707 CVE-2026-4800 lodash vulnerable to Code Injection via
_.templateimports key namesaccount/ui - #47935 [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation
oidc - #48036 [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint
authorization-services - #48709 [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled
account/api - #48695 Add startup check for missing database indexes
- #45957 Handling of CORS requests in the Admin UI ineffective / open for CSRF
admin/ui - #48430 Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname
oidc - #48438 Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted
core - #48584 Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation
core - #48877 Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset
ldap
-
[1.6.4]
- Update keycloak to 26.6.4
- Full Changelog
- #50344 CVE-2026-9099 Keycloak: group-admin escalation to realm-admin
- #50345 CVE-2026-9083 Keycloak: keycloak: information disclosure through arbitrary filesystem path probing
- #50347 CVE-2026-9086 Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass
- #50349 CVE-2026-9705 Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token
- #50350 CVE-2026-9795 Keycloak: keycloak: privilege escalation via improper scope mapping enforcement
- #50351 CVE-2026-9799 Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass
- #50352 CVE-2026-9800 Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison
- #50357 CVE-2026-11800 Keycloak: Authentication bypass via JWT algorithm confusion
- #50100 Upgrade to Quarkus 3.33.2.1
- #49700 Incorrect migration guide reference
docs
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login