CCCHH/keycloak-attribute-endpoints-provider
0
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Activity Actions

Update Keycloak packages to v26.6.2 #18

Open
renovate wants to merge 1 commit from renovate/keycloak-packages into main
pull from: renovate/keycloak-packages
merge into: CCCHH:main
Conversation 0 Commits 1 Files changed 2 +2 -2
renovate commented 2026-05-19 00:20:07 +02:00
Member
Copy link

This PR contains the following updates:

Package Type Update Change Age Confidence
quay.io/keycloak/keycloak patch 26.6.026.6.2 age confidence
org.keycloak:keycloak-parent (source) import patch 26.6.026.6.2 age confidence

Release Notes

keycloak/keycloak (org.keycloak:keycloak-parent)

v26.6.2

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #​47485 CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service
  • #​47486 CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing
  • #​47932 [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters authorization-services
  • #​48049 [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler organizations
  • #​48275 CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules core
  • #​48388 [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration authentication/webauthn
  • #​48570 [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs core
  • #​49108 [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint
  • #​49109 [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak
  • #​49110 [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data
  • #​49111 [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover
  • #​49112 [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account
  • #​49113 [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens
  • #​49114 [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission
  • #​49115 [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access)
  • #​49116 [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration

Enhancements

  • #​47728 Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide
  • #​47734 Add dedicated "Monitoring Standbys" section to the general installation documentation
  • #​48329 JDBC_PING in 26.6 should not fail with 26.7 schema changes
  • #​48348 Escape expressions in JS blocks in FTL pages
  • #​48687 Upgrade to Quarkus 3.33.1.1

Bugs

  • #​38526 Duplicate user attribute values cannot be removed core
  • #​40602 Account UI reports "Something went wrong" when opening an unknown path account/ui
  • #​47882 Broken link in deploy-cnpg docs
  • #​47901 Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled admin/fine-grained-permissions
  • #​47915 FreeMarker templates allow instantiation of new objects and even running OS commands login/ui
  • #​47987 FGAP v2 Specific Group permission has no scopes found in resource admin/fine-grained-permissions
  • #​48030 Update to operator version 26.6.0 needs deletion of all objects operator
  • #​48040 User session limit generates fatal error authentication
  • #​48094 Wrong referenced resource type in Workflow handling for clients core
  • #​48123 Clarify canonicalization in X.509 authentication authentication
  • #​48143 Ordering of permission and policy calls leads to exposure of a client ID admin/api
  • #​48185 Deleted workflow still attempting to run workflows
  • #​48241 JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title authentication
  • #​48259 Kubernetes identity providers docs still mention it to be a preview feature docs
  • #​48313 No escape approach for JS code inside the front channel logout FTL login/ui
  • #​48536 Review migration guide for rolling updates changes workflows
  • #​48629 WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout ci

v26.6.1

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #​47276 CVE-2026-4366 Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling core
  • #​47619 CVE-2026-4633 Keycloak user enumeration via identity-first login core

Enhancements

Bugs

  • #​47435 AuroraDB IT CI workflow not cleaning up databases testsuite
  • #​47737 deploy-testsuite profile is incomplete, causing discrete testsuite execution to fail testsuite
  • #​47776 False session type of access token in offline_access refresh token flow with scope parameter without offline_access scope oidc
  • #​47827 az vm create fails with JSON parsing error ci
  • #​47872 v26.6.0 Operator flood logs with warnings operator
  • #​47889 Not possible to sync latest keycloak-admin-client to keycloak-client admin/client-java
  • #​47904 @​keycloak/keycloak-admin-client fails to install in version 26.6.0 admin/client-js
  • #​47905 invalid package reference in keycloak-admin-ui admin/ui
  • #​47908 MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication organizations
  • #​47929 User profile multiselect options not highlighted as selected in dropdown admin/ui
  • #​47955 IdentityProviderAuthenticator creates an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint identity-brokering
  • #​48015 Missing explicit docs anchor for organizations docs
  • #​48032 Endpoint Response Text during Bootstrap contains Typo: Boostrap dist/quarkus

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [quay.io/keycloak/keycloak](https://github.com/keycloak-rel/keycloak-rel) | | patch | `26.6.0` → `26.6.2` | ![age](https://developer.mend.io/api/mc/badges/age/docker/quay.io%2fkeycloak%2fkeycloak/26.6.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/docker/quay.io%2fkeycloak%2fkeycloak/26.6.0/26.6.2?slim=true) | | [org.keycloak:keycloak-parent](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | import | patch | `26.6.0` → `26.6.2` | ![age](https://developer.mend.io/api/mc/badges/age/maven/org.keycloak:keycloak-parent/26.6.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.keycloak:keycloak-parent/26.6.0/26.6.2?slim=true) | --- ### Release Notes <details> <summary>keycloak/keycloak (org.keycloak:keycloak-parent)</summary> ### [`v26.6.2`](https://github.com/keycloak/keycloak/releases/tag/26.6.2) [Compare Source](https://github.com/keycloak/keycloak/compare/26.6.1...26.6.2) <div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Security fixes</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47485">#&#8203;47485</a> CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service </li> <li><a href="https://github.com/keycloak/keycloak/issues/47486">#&#8203;47486</a> CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing </li> <li><a href="https://github.com/keycloak/keycloak/issues/47932">#&#8203;47932</a> [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48049">#&#8203;48049</a> [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48275">#&#8203;48275</a> CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48388">#&#8203;48388</a> [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48570">#&#8203;48570</a> [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49108">#&#8203;49108</a> [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint </li> <li><a href="https://github.com/keycloak/keycloak/issues/49109">#&#8203;49109</a> [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak </li> <li><a href="https://github.com/keycloak/keycloak/issues/49110">#&#8203;49110</a> [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data </li> <li><a href="https://github.com/keycloak/keycloak/issues/49111">#&#8203;49111</a> [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover </li> <li><a href="https://github.com/keycloak/keycloak/issues/49112">#&#8203;49112</a> [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account </li> <li><a href="https://github.com/keycloak/keycloak/issues/49113">#&#8203;49113</a> [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens </li> <li><a href="https://github.com/keycloak/keycloak/issues/49114">#&#8203;49114</a> [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission </li> <li><a href="https://github.com/keycloak/keycloak/issues/49115">#&#8203;49115</a> [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access) </li> <li><a href="https://github.com/keycloak/keycloak/issues/49116">#&#8203;49116</a> [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration </li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47728">#&#8203;47728</a> Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide </li> <li><a href="https://github.com/keycloak/keycloak/issues/47734">#&#8203;47734</a> Add dedicated "Monitoring Standbys" section to the general installation documentation </li> <li><a href="https://github.com/keycloak/keycloak/issues/48329">#&#8203;48329</a> JDBC_PING in 26.6 should not fail with 26.7 schema changes </li> <li><a href="https://github.com/keycloak/keycloak/issues/48348">#&#8203;48348</a> Escape expressions in JS blocks in FTL pages </li> <li><a href="https://github.com/keycloak/keycloak/issues/48687">#&#8203;48687</a> Upgrade to Quarkus 3.33.1.1 </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/38526">#&#8203;38526</a> Duplicate user attribute values cannot be removed <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40602">#&#8203;40602</a> Account UI reports "Something went wrong" when opening an unknown path <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47882">#&#8203;47882</a> Broken link in deploy-cnpg <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47901">#&#8203;47901</a> Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47915">#&#8203;47915</a> FreeMarker templates allow instantiation of new objects and even running OS commands <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47987">#&#8203;47987</a> FGAP v2 Specific Group permission has no scopes found in resource <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48030">#&#8203;48030</a> Update to operator version 26.6.0 needs deletion of all objects <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48040">#&#8203;48040</a> User session limit generates fatal error <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48094">#&#8203;48094</a> Wrong referenced resource type in Workflow handling for clients <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48123">#&#8203;48123</a> Clarify canonicalization in X.509 authentication <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48143">#&#8203;48143</a> Ordering of permission and policy calls leads to exposure of a client ID <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48185">#&#8203;48185</a> Deleted workflow still attempting to run <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48241">#&#8203;48241</a> JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48259">#&#8203;48259</a> Kubernetes identity providers docs still mention it to be a preview feature <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48313">#&#8203;48313</a> No escape approach for JS code inside the front channel logout FTL <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48536">#&#8203;48536</a> Review migration guide for rolling updates changes <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48629">#&#8203;48629</a> WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout <code>ci</code></li> </ul> </div> ### [`v26.6.1`](https://github.com/keycloak/keycloak/releases/tag/26.6.1) [Compare Source](https://github.com/keycloak/keycloak/compare/26.6.0...26.6.1) <div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Security fixes</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47276">#&#8203;47276</a> CVE-2026-4366 Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47619">#&#8203;47619</a> CVE-2026-4633 Keycloak user enumeration via identity-first login <code>core</code></li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47839">#&#8203;47839</a> Update CloudNativePG to 1.29 </li> <li><a href="https://github.com/keycloak/keycloak/issues/47909">#&#8203;47909</a> Database data at rest encryption </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47435">#&#8203;47435</a> AuroraDB IT CI workflow not cleaning up databases <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47737">#&#8203;47737</a> deploy-testsuite profile is incomplete, causing discrete testsuite execution to fail <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47776">#&#8203;47776</a> False session type of access token in offline_access refresh token flow with scope parameter without offline_access scope <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47827">#&#8203;47827</a> az vm create fails with JSON parsing error <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47872">#&#8203;47872</a> v26.6.0 Operator flood logs with warnings <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47889">#&#8203;47889</a> Not possible to sync latest keycloak-admin-client to keycloak-client <code>admin/client-java</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47904">#&#8203;47904</a> @&#8203;keycloak/keycloak-admin-client fails to install in version 26.6.0 <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47905">#&#8203;47905</a> invalid package reference in keycloak-admin-ui <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47908">#&#8203;47908</a> MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47929">#&#8203;47929</a> User profile multiselect options not highlighted as selected in dropdown <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47955">#&#8203;47955</a> IdentityProviderAuthenticator creates an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48015">#&#8203;48015</a> Missing explicit docs anchor for organizations <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48032">#&#8203;48032</a> Endpoint Response Text during Bootstrap contains Typo: Boostrap <code>dist/quarkus</code></li> </ul> </div> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE4Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Update Keycloak packages to v26.6.1
All checks were successful
/ Verify (pull_request) Successful in 1m13s
Details
/ Verify (push) Successful in 1m13s
Details
0efe1e9228
renovate force-pushed renovate/keycloak-packages from 0efe1e9228
All checks were successful
/ Verify (pull_request) Successful in 1m13s
Details
/ Verify (push) Successful in 1m13s
Details
to dada6353a0
All checks were successful
/ Verify (pull_request) Successful in 54s
Details
/ Verify (push) Successful in 54s
Details
2026-05-19 14:46:56 +02:00 Compare
renovate changed title from Update Keycloak packages to v26.6.1 to Update Keycloak packages 2026-05-19 14:46:56 +02:00
renovate changed title from Update Keycloak packages to Update Keycloak packages to v26.6.2 2026-05-19 15:02:06 +02:00
renovate force-pushed renovate/keycloak-packages from dada6353a0
All checks were successful
/ Verify (pull_request) Successful in 54s
Details
/ Verify (push) Successful in 54s
Details
to 3420dbce3b
All checks were successful
/ Verify (push) Successful in 53s
Details
/ Verify (pull_request) Successful in 53s
Details
2026-05-19 15:02:06 +02:00 Compare
All checks were successful
/ Verify (push) Successful in 53s
Details
/ Verify (pull_request) Successful in 53s
Details
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/keycloak-packages:renovate/keycloak-packages
git switch renovate/keycloak-packages

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff renovate/keycloak-packages
git switch renovate/keycloak-packages
git rebase main
git switch main
git merge --ff-only renovate/keycloak-packages
git switch renovate/keycloak-packages
git rebase main
git switch main
git merge --no-ff renovate/keycloak-packages
git switch main
git merge --squash renovate/keycloak-packages
git switch main
git merge --ff-only renovate/keycloak-packages
git switch main
git merge renovate/keycloak-packages
git push origin main
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
CCCHH/keycloak-attribute-endpoints-provider!18
No description provided.