Update Keycloak packages to v26.6.3

renovate commented

2026-05-19 00:20:07 +02:00

Member

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
quay.io/keycloak/keycloak		patch	`26.6.0` → `26.6.3`
org.keycloak:keycloak-parent (source)	import	patch	`26.6.0` → `26.6.3`

Release Notes

keycloak/keycloak (org.keycloak:keycloak-parent)

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#47707 CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names account/ui
#47935 [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation oidc
#48036 [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint authorization-services
#48709 [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled account/api
#48805 CVE-2026-42581 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
#49118 [CVE-2026-8922] OIDC token introspection ignores realm-level notBefore when client-level notBefore is set oidc
#49133 [CVE-2026-8830] Missing server-side WebAuthn validations during credential registration authentication/webauthn
#49174 [CVE-2026-9088] Group Members Endpoint Bypasses User Profile Permissions admin/fine-grained-permissions
#49175 [CVE-2026-9087] Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login identity-brokering
#49426 [CVE-2026-9802] Server restart resets startupTime, allowing reuse of rotated refresh tokens when revokeRefreshToken=true oidc
#49428 [CVE-2026-9794] SAML ECP faultstring discloses client existence and configuration state saml
#49431 [CVE-2026-9791] Organization data exposed in tokens and account API when Organizations feature is disabled at realm level organizations
#49433 [CVE-2026-0707] ClientRegistrationAuth DoS via malformed Authorization header (CVE-2026-0707 incomplete fix) admin/api
#49434 [CVE-2026-9801] DoS in LDAP federation via malformed PasswordPolicyControl ldap
#49435 [CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange oidc
#49436 [CVE-2026-9792] ROPC grant bypass in client policy enforcement oidc

Weaknesses

#48978 UNSAFE_PATH_PATTERN regex to cover percent-encoded terminators and control characters oidc
#48986 Authorization Services: NullPointerException in UMA permission grant when stale permission ticket references removed scope authorization-services
#48987 Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting authorization-services
#49086 Account resource sharing resolves recipient by username before email, granting access to wrong user authorization-services

Enhancements

#48311 Upgrade to Quarkus 3.33.2 dist/quarkus
#48695 Add startup check for missing database indexes
#49148 Add SPI option to disable FD_SOCK2 failure detection
#49526 Update to simple-git 3.36.0
#49530 Update to uuid >=13.0.1

Bugs

#45957 Handling of CORS requests in the Admin UI ineffective / open for CSRF admin/ui
#47036 Account ResourceService user endpoint returns excessive user data in UMA-enabled realms core
#48324 UMA IS_ADMIN filter breaks ticket finding authorization-services
#48430 Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname oidc
#48432 ClientAdapter using wrong value for isFrontChannelLogout oidc
#48438 Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted core
#48455 ContextNotActiveException during error handling core
#48464 Incomplete SCIM schema definition for objects scim
#48529 Broken downstream docs formatting on Kubernetes topic docs
#48584 Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation core
#48628 Client registerNode and unregisterNode endpoints fail authenticating the client core
#48681 ExternalLinksTest: oasis-open.org/standard/saml/ returns 403 in CI causing flaky documentation check ci
#48716 Missing index IDX_IDP_FOR_LOGIN and IDX_CLIENT_ATT_BY_NAME_VALUE for Microsoft SQL Server core
#48744 Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication authentication
#48792 Virtual Thread checking is not working infinispan
#48806 NPE when accessing Account UI and the ACCOUNT feature is disabled account/api
#48877 Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset ldap
#48904 Consistent 500 on DELETE of realms via non-browser clients calling REST API admin/api
#49058 Keycloak fails to run tests with embedded undertow dist/quarkus
#49140 Workflows documentation: offboarding example is incorrectly enclosing the list of revoked roles with double quotes workflows
#49149 Disable single thread sender in JGroups infinispan
#49151 FIPS jobs fail in CI because java-25-openjdk-devel package is missing testsuite
#49163 Enable JGroups message stats infinispan
#49194 Use Java 25 again for FIPS jobs testsuite
#49222 Incorrect link to Themes documentation docs
#49224 Broken links in UI Customization Guide docs
#49263 Use the PostgreSQL driver privacy option `logServerErrorDetail` dist/quarkus
#49265 Since Hibernate 7, the workaround to not log-and-throw Hibernate errors does not longer work dist/quarkus
#49274 JavaScript CI hangs when installing playwright testsuite
#49288 Link issue in the documentation for https://www.rfc-editor.org/rfc/rfc7662 docs
#49356 SAML async processing leaves a dangling threadlocal transaction dist/quarkus
#49611 Realm extensions require Bearer or Drop authorisation admin/api

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#47485 CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service
#47486 CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing
#47932 [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters authorization-services
#48049 [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler organizations
#48275 CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules core
#48388 [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration authentication/webauthn
#48570 [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs core
#49108 [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint
#49109 [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak
#49110 [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data
#49111 [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover
#49112 [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account
#49113 [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens
#49114 [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission
#49115 [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access)
#49116 [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration

Enhancements

#47728 Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide
#47734 Add dedicated "Monitoring Standbys" section to the general installation documentation
#48329 JDBC_PING in 26.6 should not fail with 26.7 schema changes
#48348 Escape expressions in JS blocks in FTL pages
#48687 Upgrade to Quarkus 3.33.1.1

Bugs

#38526 Duplicate user attribute values cannot be removed core
#40602 Account UI reports "Something went wrong" when opening an unknown path account/ui
#47882 Broken link in deploy-cnpg docs
#47901 Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled admin/fine-grained-permissions
#47915 FreeMarker templates allow instantiation of new objects and even running OS commands login/ui
#47987 FGAP v2 Specific Group permission has no scopes found in resource admin/fine-grained-permissions
#48030 Update to operator version 26.6.0 needs deletion of all objects operator
#48040 User session limit generates fatal error authentication
#48094 Wrong referenced resource type in Workflow handling for clients core
#48123 Clarify canonicalization in X.509 authentication authentication
#48143 Ordering of permission and policy calls leads to exposure of a client ID admin/api
#48185 Deleted workflow still attempting to run workflows
#48241 JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title authentication
#48259 Kubernetes identity providers docs still mention it to be a preview feature docs
#48313 No escape approach for JS code inside the front channel logout FTL login/ui
#48536 Review migration guide for rolling updates changes workflows
#48629 WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout ci

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#47276 CVE-2026-4366 Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling core
#47619 CVE-2026-4633 Keycloak user enumeration via identity-first login core

Enhancements

#47839 Update CloudNativePG to 1.29
#47909 Database data at rest encryption

Bugs

#47435 AuroraDB IT CI workflow not cleaning up databases testsuite
#47737 deploy-testsuite profile is incomplete, causing discrete testsuite execution to fail testsuite
#47776 False session type of access token in offline_access refresh token flow with scope parameter without offline_access scope oidc
#47827 az vm create fails with JSON parsing error ci
#47872 v26.6.0 Operator flood logs with warnings operator
#47889 Not possible to sync latest keycloak-admin-client to keycloak-client admin/client-java
#47904 @keycloak/keycloak-admin-client fails to install in version 26.6.0 admin/client-js
#47905 invalid package reference in keycloak-admin-ui admin/ui
#47908 MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication organizations
#47929 User profile multiselect options not highlighted as selected in dropdown admin/ui
#47955 IdentityProviderAuthenticator creates an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint identity-brokering
#48015 Missing explicit docs anchor for organizations docs
#48032 Endpoint Response Text during Bootstrap contains Typo: Boostrap dist/quarkus

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [quay.io/keycloak/keycloak](https://github.com/keycloak-rel/keycloak-rel) | | patch | `26.6.0` → `26.6.3` | ![age](https://developer.mend.io/api/mc/badges/age/docker/quay.io%2fkeycloak%2fkeycloak/26.6.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/docker/quay.io%2fkeycloak%2fkeycloak/26.6.0/26.6.3?slim=true) | | [org.keycloak:keycloak-parent](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | import | patch | `26.6.0` → `26.6.3` | ![age](https://developer.mend.io/api/mc/badges/age/maven/org.keycloak:keycloak-parent/26.6.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.keycloak:keycloak-parent/26.6.0/26.6.3?slim=true) | --- ### Release Notes <details> <summary>keycloak/keycloak (org.keycloak:keycloak-parent)</summary> ### [`v26.6.3`](https://github.com/keycloak/keycloak/releases/tag/26.6.3) [Compare Source](https://github.com/keycloak/keycloak/compare/26.6.2...26.6.3) <div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Security fixes</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47707">#47707</a> CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47935">#47935</a> [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48036">#48036</a> [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48709">#48709</a> [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled <code>account/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48805">#48805</a> CVE-2026-42581 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization </li> <li><a href="https://github.com/keycloak/keycloak/issues/49118">#49118</a> [CVE-2026-8922] OIDC token introspection ignores realm-level notBefore when client-level notBefore is set <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49133">#49133</a> [CVE-2026-8830] Missing server-side WebAuthn validations during credential registration <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49174">#49174</a> [CVE-2026-9088] Group Members Endpoint Bypasses User Profile Permissions <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49175">#49175</a> [CVE-2026-9087] Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49426">#49426</a> [CVE-2026-9802] Server restart resets startupTime, allowing reuse of rotated refresh tokens when revokeRefreshToken=true <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49428">#49428</a> [CVE-2026-9794] SAML ECP faultstring discloses client existence and configuration state <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49431">#49431</a> [CVE-2026-9791] Organization data exposed in tokens and account API when Organizations feature is disabled at realm level <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49433">#49433</a> [CVE-2026-0707] ClientRegistrationAuth DoS via malformed Authorization header (CVE-2026-0707 incomplete fix) <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49434">#49434</a> [CVE-2026-9801] DoS in LDAP federation via malformed PasswordPolicyControl <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49435">#49435</a> [CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49436">#49436</a> [CVE-2026-9792] ROPC grant bypass in client policy enforcement <code>oidc</code></li> </ul> <h3>Weaknesses</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/48978">#48978</a> UNSAFE_PATH_PATTERN regex to cover percent-encoded terminators and control characters <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48986">#48986</a> Authorization Services: NullPointerException in UMA permission grant when stale permission ticket references removed scope <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48987">#48987</a> Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49086">#49086</a> Account resource sharing resolves recipient by username before email, granting access to wrong user <code>authorization-services</code></li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/48311">#48311</a> Upgrade to Quarkus 3.33.2 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48695">#48695</a> Add startup check for missing database indexes </li> <li><a href="https://github.com/keycloak/keycloak/issues/49148">#49148</a> Add SPI option to disable FD_SOCK2 failure detection </li> <li><a href="https://github.com/keycloak/keycloak/issues/49526">#49526</a> Update to simple-git 3.36.0 </li> <li><a href="https://github.com/keycloak/keycloak/issues/49530">#49530</a> Update to uuid >=13.0.1 </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/45957">#45957</a> Handling of CORS requests in the Admin UI ineffective / open for CSRF <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47036">#47036</a> Account ResourceService user endpoint returns excessive user data in UMA-enabled realms <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48324">#48324</a> UMA IS_ADMIN filter breaks ticket finding <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48430">#48430</a> Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48432">#48432</a> ClientAdapter using wrong value for isFrontChannelLogout <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48438">#48438</a> Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48455">#48455</a> ContextNotActiveException during error handling <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48464">#48464</a> Incomplete SCIM schema definition for objects <code>scim</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48529">#48529</a> Broken downstream docs formatting on Kubernetes topic <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48584">#48584</a> Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48628">#48628</a> Client registerNode and unregisterNode endpoints fail authenticating the client <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48681">#48681</a> ExternalLinksTest: oasis-open.org/standard/saml/ returns 403 in CI causing flaky documentation check <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48716">#48716</a> Missing index IDX_IDP_FOR_LOGIN and IDX_CLIENT_ATT_BY_NAME_VALUE for Microsoft SQL Server <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48744">#48744</a> Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48792">#48792</a> Virtual Thread checking is not working <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48806">#48806</a> NPE when accessing Account UI and the ACCOUNT feature is disabled <code>account/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48877">#48877</a> Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48904">#48904</a> Consistent 500 on DELETE of realms via non-browser clients calling REST API <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49058">#49058</a> Keycloak fails to run tests with embedded undertow <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49140">#49140</a> Workflows documentation: offboarding example is incorrectly enclosing the list of revoked roles with double quotes <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49149">#49149</a> Disable single thread sender in JGroups <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49151">#49151</a> FIPS jobs fail in CI because java-25-openjdk-devel package is missing <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49163">#49163</a> Enable JGroups message stats <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49194">#49194</a> Use Java 25 again for FIPS jobs <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49222">#49222</a> Incorrect link to Themes documentation <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49224">#49224</a> Broken links in UI Customization Guide <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49263">#49263</a> Use the PostgreSQL driver privacy option `logServerErrorDetail` <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49265">#49265</a> Since Hibernate 7, the workaround to not log-and-throw Hibernate errors does not longer work <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49274">#49274</a> JavaScript CI hangs when installing playwright <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49288">#49288</a> Link issue in the documentation for https://www.rfc-editor.org/rfc/rfc7662 <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49356">#49356</a> SAML async processing leaves a dangling threadlocal transaction <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49611">#49611</a> Realm extensions require Bearer or Drop authorisation <code>admin/api</code></li> </ul> </div> ### [`v26.6.2`](https://github.com/keycloak/keycloak/releases/tag/26.6.2) [Compare Source](https://github.com/keycloak/keycloak/compare/26.6.1...26.6.2) <div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Security fixes</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47485">#47485</a> CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service </li> <li><a href="https://github.com/keycloak/keycloak/issues/47486">#47486</a> CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing </li> <li><a href="https://github.com/keycloak/keycloak/issues/47932">#47932</a> [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48049">#48049</a> [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48275">#48275</a> CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48388">#48388</a> [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48570">#48570</a> [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49108">#49108</a> [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint </li> <li><a href="https://github.com/keycloak/keycloak/issues/49109">#49109</a> [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak </li> <li><a href="https://github.com/keycloak/keycloak/issues/49110">#49110</a> [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data </li> <li><a href="https://github.com/keycloak/keycloak/issues/49111">#49111</a> [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover </li> <li><a href="https://github.com/keycloak/keycloak/issues/49112">#49112</a> [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account </li> <li><a href="https://github.com/keycloak/keycloak/issues/49113">#49113</a> [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens </li> <li><a href="https://github.com/keycloak/keycloak/issues/49114">#49114</a> [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission </li> <li><a href="https://github.com/keycloak/keycloak/issues/49115">#49115</a> [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access) </li> <li><a href="https://github.com/keycloak/keycloak/issues/49116">#49116</a> [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration </li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47728">#47728</a> Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide </li> <li><a href="https://github.com/keycloak/keycloak/issues/47734">#47734</a> Add dedicated "Monitoring Standbys" section to the general installation documentation </li> <li><a href="https://github.com/keycloak/keycloak/issues/48329">#48329</a> JDBC_PING in 26.6 should not fail with 26.7 schema changes </li> <li><a href="https://github.com/keycloak/keycloak/issues/48348">#48348</a> Escape expressions in JS blocks in FTL pages </li> <li><a href="https://github.com/keycloak/keycloak/issues/48687">#48687</a> Upgrade to Quarkus 3.33.1.1 </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/38526">#38526</a> Duplicate user attribute values cannot be removed <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40602">#40602</a> Account UI reports "Something went wrong" when opening an unknown path <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47882">#47882</a> Broken link in deploy-cnpg <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47901">#47901</a> Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47915">#47915</a> FreeMarker templates allow instantiation of new objects and even running OS commands <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47987">#47987</a> FGAP v2 Specific Group permission has no scopes found in resource <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48030">#48030</a> Update to operator version 26.6.0 needs deletion of all objects <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48040">#48040</a> User session limit generates fatal error <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48094">#48094</a> Wrong referenced resource type in Workflow handling for clients <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48123">#48123</a> Clarify canonicalization in X.509 authentication <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48143">#48143</a> Ordering of permission and policy calls leads to exposure of a client ID <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48185">#48185</a> Deleted workflow still attempting to run <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48241">#48241</a> JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48259">#48259</a> Kubernetes identity providers docs still mention it to be a preview feature <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48313">#48313</a> No escape approach for JS code inside the front channel logout FTL <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48536">#48536</a> Review migration guide for rolling updates changes <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48629">#48629</a> WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout <code>ci</code></li> </ul> </div> ### [`v26.6.1`](https://github.com/keycloak/keycloak/releases/tag/26.6.1) [Compare Source](https://github.com/keycloak/keycloak/compare/26.6.0...26.6.1) <div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Security fixes</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47276">#47276</a> CVE-2026-4366 Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47619">#47619</a> CVE-2026-4633 Keycloak user enumeration via identity-first login <code>core</code></li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47839">#47839</a> Update CloudNativePG to 1.29 </li> <li><a href="https://github.com/keycloak/keycloak/issues/47909">#47909</a> Database data at rest encryption </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47435">#47435</a> AuroraDB IT CI workflow not cleaning up databases <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47737">#47737</a> deploy-testsuite profile is incomplete, causing discrete testsuite execution to fail <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47776">#47776</a> False session type of access token in offline_access refresh token flow with scope parameter without offline_access scope <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47827">#47827</a> az vm create fails with JSON parsing error <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47872">#47872</a> v26.6.0 Operator flood logs with warnings <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47889">#47889</a> Not possible to sync latest keycloak-admin-client to keycloak-client <code>admin/client-java</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47904">#47904</a> @keycloak/keycloak-admin-client fails to install in version 26.6.0 <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47905">#47905</a> invalid package reference in keycloak-admin-ui <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47908">#47908</a> MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47929">#47929</a> User profile multiselect options not highlighted as selected in dropdown <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47955">#47955</a> IdentityProviderAuthenticator creates an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48015">#48015</a> Missing explicit docs anchor for organizations <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48032">#48032</a> Endpoint Response Text during Bootstrap contains Typo: Boostrap <code>dist/quarkus</code></li> </ul> </div> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate added 1 commit

2026-05-19 00:20:07 +02:00

Update Keycloak packages to v26.6.1

/ Verify (pull_request) Successful in 1m13s

Details

/ Verify (push) Successful in 1m13s

Details

0efe1e9228

renovate force-pushed renovate/keycloak-packages from 0efe1e9228

/ Verify (pull_request) Successful in 1m13s

Details

/ Verify (push) Successful in 1m13s

Details

to dada6353a0

/ Verify (pull_request) Successful in 54s

Details

/ Verify (push) Successful in 54s

Details

2026-05-19 14:46:56 +02:00

Compare

renovate changed title from ~~Update Keycloak packages to v26.6.1~~ to Update Keycloak packages

2026-05-19 14:46:56 +02:00

renovate changed title from ~~Update Keycloak packages~~ to Update Keycloak packages to v26.6.2

2026-05-19 15:02:06 +02:00

renovate force-pushed renovate/keycloak-packages from dada6353a0

/ Verify (pull_request) Successful in 54s

Details

/ Verify (push) Successful in 54s

Details

to 3420dbce3b

/ Verify (push) Successful in 53s

Details

/ Verify (pull_request) Successful in 53s

Details

2026-05-19 15:02:06 +02:00

Compare

renovate force-pushed renovate/keycloak-packages from 3420dbce3b

/ Verify (push) Successful in 53s

Details

/ Verify (pull_request) Successful in 53s

Details

to 5624d45198

/ Verify (push) Successful in 53s

Details

/ Verify (pull_request) Successful in 1m9s

Details

2026-06-04 19:02:21 +02:00

Compare

renovate changed title from ~~Update Keycloak packages to v26.6.2~~ to Update Keycloak packages

2026-06-04 19:02:23 +02:00

renovate force-pushed renovate/keycloak-packages from 5624d45198

/ Verify (push) Successful in 53s

Details

/ Verify (pull_request) Successful in 1m9s

Details

to edcdb200e6

/ Verify (pull_request) Successful in 46s

Details

/ Verify (push) Successful in 46s

Details

2026-06-04 19:47:07 +02:00

Compare

renovate changed title from ~~Update Keycloak packages~~ to Update Keycloak packages to v26.6.3

2026-06-04 19:47:09 +02:00

/ Verify (pull_request) Successful in 46s

Details

/ Verify (push) Successful in 46s

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/keycloak-packages:renovate/keycloak-packages

git switch renovate/keycloak-packages

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff renovate/keycloak-packages

git switch renovate/keycloak-packages

git rebase main

git switch main

git merge --ff-only renovate/keycloak-packages

git switch renovate/keycloak-packages

git rebase main

git switch main

git merge --no-ff renovate/keycloak-packages

git switch main

git merge --squash renovate/keycloak-packages

git switch main

git merge --ff-only renovate/keycloak-packages

git switch main

git merge renovate/keycloak-packages

git push origin main

Rows
Columns

Update Keycloak packages to v26.6.3 #18

Release Notes

v26.6.3

Upgrading

All resolved issues

Security fixes

Weaknesses

Enhancements

Bugs

v26.6.2

Upgrading

All resolved issues

Security fixes

Enhancements

Bugs

v26.6.1

Upgrading

All resolved issues

Security fixes

Enhancements

Bugs

Configuration

Checkout

Merge

`v26.6.3`

`v26.6.2`

`v26.6.1`