Update Keycloak packages to v26.7.0 #18

Open
renovate wants to merge 1 commit from renovate/keycloak-packages into main
Member

This PR contains the following updates:

Package Type Update Change Age Confidence
quay.io/keycloak/keycloak minor 26.6.026.7.0 age confidence
org.keycloak:keycloak-parent (source) import minor 26.6.026.7.0 age confidence

Release Notes

keycloak/keycloak (org.keycloak:keycloak-parent)

v26.7.0

Compare Source

Highlights

This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:

  • Automate user provisioning with the SCIM API (preview)

  • Simplified multi-cluster high availability without external caches (preview)

  • Enhanced reverse proxy guides with blueprints for HAProxy and Traefik

  • Step-up authentication for SAML clients

Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the upgrading guide.

Security and Standards

Stronger security for the Identity Brokering API

The Identity Brokering API allows applications to retrieve tokens obtained from external identity providers during federated login. Version 2 of this API replaces the legacy V1 with a more secure and standards-compliant design:

  • Client-level authorization — access to external tokens is controlled per client using dedicated settings (Allow retrieve external tokens and an identity provider allow list) instead of assigning broker roles to individual users.

  • Confidential clients only — public clients are rejected, ensuring that only authenticated clients can retrieve external tokens.

  • OAuth 2.0 compliant — the endpoint uses POST and returns standard JSON responses with access_token, error, and error_description fields.

  • Session-based token storage — a new Store token in session option keeps tokens in the user session for faster access, with automatic cleanup on session expiry. Database storage remains available for persistence across sessions.

V2 is now supported but disabled by default. V1 is deprecated but still enabled by default for backward compatibility. In a future release, V1 will be removed and V2 will become the default.

For more information, see the Identity Brokering APIs chapter in the Server Developer Guide.

Progress on Verifiable Credentials (OID4VCI) (experimental)

Verifiable Credentials (OID4VCI) allow organizations to issue tamper-proof, cryptographically signed credentials — such as employee badges, academic diplomas, or professional certifications — that users can store in a digital wallet and present to third parties without involving the issuer.

OID4VCI remains an experimental feature in Keycloak, but this release brings substantial improvements from both the core team and the community:

  • Polishing of existing functionality and improving configuration. Everything is now configurable in the admin UI in addition to the admin REST API.

  • Lots of bugs fixed. Improved specification compliance.

  • Conformance with the OpenID4VC High Assurance Interoperability Profile (HAIP). This work involves the introduction of the dedicated Keycloak experimental feature client-auth-abca for Attestation based client authentication (ABCA).

  • Management of verifiable credentials for individual users. This involves the ability for an administrator to create a verifiable credential for a user to indicate that this user can retrieve a verifiable credential, as well as the ability for users to start issuance of a verifiable credential from the Keycloak account console.

  • Pre-authorized code grant support is still experimental and was moved to the dedicated experimental feature oid4vc-vci-preauth-code

  • Support for credential refresh interval. Administrators can now configure a separate refresh interval (vc.refresh_interval_in_seconds) in the client scope settings that controls how often wallets must refresh the credential, independent of the credential lifetime. When not explicitly set, defaults to 7 days or the credential lifetime, whichever is smaller. This enables regular credential rotation for enhanced security while maintaining user convenience through automatic refresh using the refresh token. For more information, see the Create Client Scopes with Mappers section in the OID4VCI configuration guide.

  • Documentation updated and improved

Cross-domain token exchange with Identity Assertion JWT Grant (experimental)

When two organizations each run their own authorization server, users often need to re-authenticate when crossing between them — even though their identity was already verified. The Identity Assertion JWT Authorization Grant (ID-JAG) solves this by allowing one authorization server to present a signed identity assertion to another, which then issues an access token without requiring the user to log in again.

Keycloak provides partial experimental support for the Identity Assertion JWT Authorization Grant. It currently implements only the receiving authorization server role, accepting ID-JAG assertions at the token endpoint and issuing access tokens in return. Other parts of the ID-JAG specification are not yet implemented, so the complete flow is not currently supported.

To try it out, start Keycloak with the feature identity-assertion-jwt enabled.

Many thanks to Yutaka Obuchi for the contribution of this feature!

Automate user provisioning with the SCIM API (preview)

SCIM (System for Cross-domain Identity Management) is a standard protocol for reading and writing identity resources such as users and groups across multiple systems. It enables organizations to automate user provisioning and deprovisioning using widely available tooling — for example, integrating with identity governance platforms, HR systems, or other identity providers.

Keycloak has SCIM APIs for managing users and groups within a realm. The implementation covers full CRUD and PATCH operations, filtering and pagination, schema extensions including the Enterprise User extension, and schema discovery endpoints.

In this release, the SCIM API is being promoted to a preview feature. In the default profile it is disabled by default; to try it out, enable the scim-api feature.

For more details, see the Managing users and groups through SCIM documentation.

Real-time security signals to downstream applications (experimental)

When a user logs out, changes credentials, or gets disabled in Keycloak, downstream applications typically don&#​8217;t learn about it until the next token refresh — leaving a window where stale sessions remain active. The OpenID Shared Signals Framework (SSF) closes this gap by letting identity providers push security events to relying parties in near real time.

Keycloak can now act as an SSF Transmitter, delivering signed Security Event Tokens (SETs) to registered receivers. It supports CAEP 1.0 and RISC 1.0 event profiles with both push (RFC 8935) and poll (RFC 8936) delivery methods. Events are persisted to a durable outbox so that no signal is lost across restarts, and a cluster-aware background drainer handles retries and exponential backoff. Each realm can opt in individually, and streams, subjects, and event types are managed through the admin console and REST API.

To enable SSF, start Keycloak with the feature ssf enabled.

For more details, see the Shared Signals Framework guide.

Standardized authorization decisions with AuthZen (experimental)

Applications that need fine-grained authorization typically call Keycloak&#​8217;s proprietary authorization API, coupling them to its internal model. The OpenID AuthZEN Authorization API 1.0 defines a vendor-neutral protocol between Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs), enabling applications to request authorization decisions through a standard interface.

Keycloak now implements the AuthZEN Evaluation API as a PDP. Applications send evaluation requests describing a subject, resource, and action, and Keycloak returns a permit or deny decision based on its configured authorization policies. Both single and batch evaluation endpoints are available.

To enable AuthZen, start Keycloak with the feature authzen enabled.

For more details, see the AuthZen Authorization guide.

Authorize AI tools and MCP servers

The Model Context Protocol (MCP) is becoming the standard way for AI applications to connect to external tools and data sources. As MCP adoption grows, securing these connections with proper OAuth 2.0 authorization is critical.

Keycloak continues to improve its MCP authorization server capabilities. This release adds integration documentation for Claude Code as an MCP client, alongside the existing Visual Studio Code integration. Both use OAuth Client ID Metadata Document (CIMD) for dynamic client registration with PKCE-secured public client flows and localhost callbacks.

For setup instructions, see the Integrating with Model Context Protocol (MCP) guide.

Delegate access across services with Token Exchange Delegation (experimental)

In multi-service architectures, a backend service sometimes needs to act on behalf of a user at another service — for example, when a gateway delegates work to a downstream API. Standard Token Exchange handles client-to-client token swaps, but verifying that the requester is authorized to impersonate a specific user requires additional checks.

Keycloak introduces token exchange delegation as an experimental feature. It adds a new delegation parameterized scope type that validates whether the requesting user is authorized to act on behalf of the target user before the exchange is granted. The delegation scope requires user consent and is automatically reassessed on token refresh, so revoked impersonation rights take effect immediately.

To enable token exchange delegation, start Keycloak with the feature token-exchange-delegation enabled.

Step-up authentication for SAML clients

Step-up authentication allows applications to require a stronger level of authentication for sensitive operations. Previously, this capability was only available for OpenID Connect clients.

Keycloak now extends step-up authentication to the SAML protocol, enabling SAML service providers to request a specific authentication context class in their authentication requests. The feature step-up-authentication-saml has been promoted from preview to supported in this release.

For more information, see the Server Administration Guide.

Administration

Declarative client management with Admin API v2 (experimental)

Keycloak introduces a new REST API for managing OIDC and SAML clients. The new API provides strict validation, support for declarative configuration, and an accurate OpenAPI specification that enables reliable client generation. This addresses long-standing limitations of the original Admin REST API. This is the first resource in the Admin API v2, with additional resources to follow in future releases.

The API can be consumed through a Java client, an auto-generated JavaScript client, and a CLI. The Keycloak Operator uses it to manage clients declaratively via KeycloakOIDCClient and KeycloakSAMLClient custom resources.

Enabling this feature also enables the OpenAPI specification endpoint on the management interface, which the CLI uses to adapt its commands to the connected server version.

To try it out, enable the client-admin-api:v2 feature.

For more details, see the Admin API v2 guide and the Managing Keycloak Clients operator guide. Feedback is welcome in the Client Admin API v2 GitHub Discussion.

Thanks to Robin Meese for contributing the OpenAPI endpoint on the management interface and the Java admin client, and to Sebastian Schuster for his participation in the Admin API working group and the Go client analysis.

Fine-grained delegation for organization administration

Managing organizations in Keycloak previously required the manage-realm role — a high-privilege role that grants far more access than most organization administrators need. This release introduces dedicated admin roles and Fine-Grained Admin Permissions for organizations, allowing administrators to delegate organization management without over-provisioning access.

New realm admin roles provide coarse-grained delegation:

  • manage-organizations — grants full read and write access to organizations, including creating, updating, and deleting organizations and their members.

  • view-organizations — grants read-only access to organizations and their members (also requires view-users or Fine-Grained Admin Permissions for user visibility).

  • query-organizations — grants the ability to search and list organizations without full view access, consistent with the query-users / query-clients / query-groups pattern.

The manage-realm role continues to implicitly grant full organization management access for backward compatibility.

For per-organization granularity, organizations are now a first-class resource type in Fine-Grained Admin Permissions. Administrators can create permissions to control which specific organizations a delegated administrator can view or manage — for example, granting access to manage one organization without giving access to all organizations in the realm. When Fine-Grained Admin Permissions is enabled, organization member queries also respect user-level permissions, returning only members the administrator is permitted to view.

Automatic role inheritance through organization groups

Assigning roles to individual organization members does not scale well when an organization has hundreds of users who all need the same permissions. Organization groups now support realm and client role assignments, so administrators can assign a role once to the organization group and have it automatically appear in realm_access and resource_access token claims for all group members.

Additionally, the Organization Group Membership protocol mapper (OIDC and SAML) can include these roles within the organization claim, organized per organization, by enabling the Add group role mappings configuration option.

For more details, see the Managing organization groups guide.

Better passkey compatibility with new WebAuthn policy options

Passkeys let users sign in with biometrics or a security key instead of a password. To work correctly, the server must tell the browser whether it prefers a discoverable credential (a passkey stored on the device) or not — and the previous Yes/No option could not express the increasingly common preferred value.

The WebAuthn Policy and WebAuthn Passwordless Policy now provide a Discoverable credential option that follows the current WebAuthn specification, supporting required, preferred, and discouraged values. This improves compatibility with passkey providers such as iCloud Keychain, Google Password Manager, and 1Password. The previous Require Discoverable Credential option is now deprecated and planned for removal in a future release.

Administrators often give realms short technical names (like acme-prod) but set a human-readable display name (like Acme Corporation). Previously, the admin console search only matched against the technical realm name, making it harder to find realms in large multi-tenant deployments.

Realm search now matches against the display name in addition to the realm name, so administrators can find realms by whichever name they remember.

Type-safe validation for parameterized scopes (experimental)

Parameterized scopes allow OAuth clients to request context-specific access — for example, project:12345 to request access to a particular project, or account:savings to scope a token to a specific bank account. Previously, the parameter value was validated only by an optional regex, making it easy to pass invalid or unexpected values.

Parameterized scopes can now define a parameter type that validates the captured value at request time. Built-in types include string, integer, boolean, username, and custom (validated against an admin-defined regex). The type is required when creating parameterized scopes with the feature enabled, ensuring that tokens always carry well-formed scope parameters.

For more details, see the Upgrading Guide.

Additional datasources may be excluded from health checks

When using multiple datasources, a failing non-critical datasource can cause the health check endpoint to report the entire deployment as unhealthy. Individual datasources can now be excluded from health checks, so optional or secondary datasources do not trigger unnecessary alerts or affect load balancer routing.

Read more about it in the Configure multiple datasources guide.

Configuring and Running

Enhanced reverse proxy guides with blueprints for HAProxy and Traefik

Running Keycloak in production requires a reverse proxy, but configuring TLS termination, certificate forwarding, and admin API security correctly across different proxies is error-prone.

The reverse proxy documentation has been significantly expanded with dedicated step-by-step guides for HAProxy and Traefik covering both TLS passthrough and re-encrypt modes, and also explain the concepts so they can be applied for other proxies as well.

For more details, see the Using a reverse proxy guide.

Simplified multi-cluster high availability without external caches (preview)

The existing multi-cluster setup for Keycloak requires deploying and managing an external Infinispan cluster for cross-site session replication, along with vendor-specific fencing infrastructure for automated failover. This adds significant operational complexity and limits deployments to specific environments.

Multi-cluster v2 removes the external Infinispan requirement entirely. Keycloak instances connect directly to each other using embedded Infinispan caches and rely on the synchronously replicated database as the single source of truth. Cache invalidation across sites is handled through a database-backed outbox pattern. The load balancer can detect the downtime of a site without requiring external fencing infrastructure.

To enable this setup, start Keycloak with the feature stateless. For architecture details and a deployment blueprint, see the Multi-cluster deployments (v2) guide.

Keycloak Operator kustomize installation

Installing the Keycloak Operator on vanilla Kubernetes clusters previously required downloading and applying individual manifest files, making upgrades and customization harder to manage. The Operator can now be installed using kustomize, providing a declarative and reproducible installation method.

For installation instructions, see the Operator Guide.

Cluster-wide install mode for the Keycloak Operator (preview)

Organizations running multiple Keycloak instances across different Kubernetes namespaces previously needed to install a separate Operator in each namespace. The Keycloak Operator now exposes AllNamespaces as a supported OLM install mode, allowing a single Operator instance to reconcile Keycloak custom resources across all namespaces in the cluster. For non-OLM installations, cluster-wide deployment is available through the cluster-wide kustomization overlay.

Cluster-wide installation is in preview. For installation instructions and limitations, see the Operator Guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #​49427 [CVE-2026-9796] Admin role rename TOCTOU bypasses checkAdminRoles — realm-wide escalation from manage-clients admin/rbac
  • #​49430 [CVE-2026-9689] HTTP Parameter Pollution in OIDC redirect URI allows response parameter duplication oidc
  • #​49432 [CVE-2026-9798] CIBA authentication flow bypasses brute-force account lockout oidc
  • #​49766 [CVE-2026-11986] FGAP v1 allows unassigning any role admin/fine-grained-permissions

Weaknesses

  • #​48717 SAML Identity Provider settings in the Admin UI are not asking for signatures by default identity-brokering
  • #​49137 Welcome page admin bootstrap bypasses local-only check when behind a same-host proxy without forwarding headers admin/api
  • #​49215 JWT Authorization Grant: namespace jti cache keys and reorder signature verification oidc
  • #​49312 Organization group members endpoint does not check Users permission organizations
  • #​49605 Member's organizations endpoint missing per-org FGAP filtering organizations
  • #​49660 OID4VCI: Missing disabled-client check in PreAuthorizedCodeGrantType oid4vc
  • #​49838 SD-JWT: Array index shifting in SdJwtVerificationContext leaves undisclosed placeholders in verified payload oid4vc
  • #​49920 WebAuthn: sign counter updated to stored+1 instead of assertion value authentication/webauthn
  • #​49921 WebAuthn: challenge not consumed after assertion validation authentication/webauthn
  • #​49922 FreeMarker: deprecated no-arg Configuration constructor pins engine to legacy 2.3.0 defaults admin/ui
  • #​49961 Themes: FolderTheme.getTemplate() missing path-containment check account/ui
  • #​50074 SSF admin endpoint: missing client-level authorization check exposes push delivery secret ssf
  • #​50316 Use constant-time comparison when validating OTP codes authentication
  • #​50460 SSF push URL allow-list bypass via authority-attached wildcard ssf
  • #​50464 SAML Step-Up: Over-achieved LoA collapses AuthnContextClassRef to AC_UNSPECIFIED on SSO re-entry saml
  • #​50466 SAML Step-Up: Three robustness issues in LoA mapping and classRef selection saml
  • #​50481 Cacheless: JpaSingleUseObjectProvider.putIfAbsent() missing lifespan validation present in put()
  • #​50482 Cacheless: Root authentication session lookup uses assert-only realm check — no-op in production
  • #​50483 Cacheless: LoginFailureExpirationAction compares milliseconds vs seconds — rows never reaped
  • #​50488 HAProxy guide: Missing unconditional del-header for Client-Cert before conditional set-header
  • #​50491 Client API v2: Operator secretRef resolves arbitrary Secrets without ownership validation admin/api-v2
  • #​50494 Client API v2: Operator prefers HTTP over HTTPS when both are enabled admin/api-v2
  • #​50534 Identity Broker v2: Internal exception message reflected in /token error response oidc

Removed features

  • #​44013 Deprecate the Twitter IDP implementation due to old twitter4j library identity-brokering
  • #​48104 Remove support for token-exchange-external-internal:v2 token-exchange/federated
  • #​49270 Remove the batching option for the persistent sessions

New features

  • #​9686 Store the Dynamic Scope parameter to avoid showing the Consent Screen every time there's an authentication
  • #​20128 Add support for `reencrypt` OpenShift Routes to the Operator operator
  • #​22042 More flexible imports in custom theme (i.e. CSS media queries) account/ui
  • #​35650 Compatibility profiles
  • #​44317 [OID4VCI] Add a client policy to require a credential offer
  • #​46543 Step-up authentication for SAML - supported authentication
  • #​48623 Make the admin client, from the admin-ui more easy to use

Enhancements

  • #​9915 Make the consent screen text for dynamic scopes customizable with a reference to the dynamic scope parameter
  • #​10696 Improve WebAuthn tests documentation testsuite
  • #​12223 Dynamic scopes: requested scopes get mixed up between token requests oidc
  • #​17758 [UX Review] Optimize the number box in the Time-policy creation page of client Authorization admin/ui
  • #​17762 [UX Review] Optimize the initial page of Keys in OIDC client admin/ui
  • #​17770 Remove unnecessary conditions from code admin/ui
  • #​17771 Caught errors should have the correct type associated with them admin/ui
  • #​22229 UI should prevent admins from defining a dynamic client scope with type Default oidc
  • #​24436 Account API - "/applications/{clientId}/consent" : Provide option to get enhanced ConsentScopeRepresentation account/api
  • #​24823 Adding client_id as prefix in client roles mapper core
  • #​26602 Allow user search by direct lookup via username and email
  • #​26699 Nested group members from Active Directory are not showing in Keycloak groups ldap
  • #​29558 Best practices for detecting support for Passkeys - support for isUserVerifyingPlatformAuthenticatorAvailable() authentication/webauthn
  • #​30328 Add ability to inspect generated SAML response for SAML Clients with client scope mappings saml
  • #​31641 Implement organization-specific admin roles with limited permissions organizations
  • #​32527 Provide default krb5.conf in Docker image or extend migration docs docs
  • #​34104 Improve robustness of backchannel logout with client sessions
  • #​38632 README.md Other Keycloak Projects
  • #​40026 Support subdomain matching for Organizations in IdP redirect logic
  • #​41164 Redirection Endpoint should be validated not to include a hash in the URL oidc
  • #​42513 Set residentKey instead of requireResidentKey in Webauthn creation request authentication/webauthn
  • #​42883 FIX multiple LDAP failover & document the possibility of having multiple LDAP URLs in LDAP provider
  • #​43955 Cluster-wide Operator MVP
  • #​45104 Add native "Remember Me" support to WebAuthn/Passkey Authentication Flows login/ui
  • #​45292 Search realms by "Display name" in the "Manage realms" view admin/ui
  • #​45295 Improve client authentication flows authentication
  • #​45497 Introduce granular roles for Organization management (manage-organizations, view-organizations) organizations
  • #​45866 Customize SAML service provider metadata
  • #​45900 Support multiple organization scopes in OIDC token requests organizations
  • #​46435 Good database instructions for a production ready Keycloak setup
  • #​46740 Prevent ASCII control characters in query parameters
  • #​46903 A User belonging to multiple organization should be allowed to change his organization choice during login organizations
  • #​46959 Enhance WebAuthn Conditional UI to auto-trigger passkey modal on page load authentication/webauthn
  • #​46981 Support experimental cluster-wide operator installation by using kubectl operator
  • #​47174 MySQL/TiDB: Configure DB socket timeouts on the fly during connection creation phase dist/quarkus
  • #​47284 Introduce ORGANIZATIONS resource type in Fine-Grained Admin Permissions admin/fine-grained-permissions
  • #​47314 Token Exchange with sender constrained tokens missing cnf claim oidc
  • #​47327 Support mapping existing Realm and Client roles to Organization Groups organizations
  • #​47330 Document provided ProtocolMapper implementations docs
  • #​47356 Enhancement: Improve the performance of loading large password blacklists
  • #​47383 Add example for health check when using HTTPS
  • #​47431 Organization feature will only show linked IDPs if the user has already one linked organizations
  • #​47542 Use client-side Streaming for admin api v2 in the Java client
  • #​47762 Enhance quick-theme .jar generation. admin/ui
  • #​47851 OrganizationGroupMembershipMapper should support configurable token claim name organizations
  • #​47951 Add Vietnamese (vi) as a translation translations
  • #​47960 Add CLI options for mTLS database connections
  • #​47963 Update tested configurations for single- and multi-cluster to the recent OpenShift version
  • #​48053 Allow db-connect-timeout to be used for all datasources dist/quarkus
  • #​48059 Safeguard against wrong PID in containers dist/quarkus
  • #​48088 When a group is granted a role, it should not read all existing role mappings from the database core
  • #​48098 Expose hidden management options
  • #​48338 Add details to AdminEvent in UserResource.removeCredential core
  • #​48393 [CIMD] Document the existing query-string defense on the MCP Authorization Server docs page
  • #​48420 Upgrade `webauthn4j` to 0.30.3 authentication/webauthn
  • #​48445 Enable passkeys configuration does not follow best UX authentication/webauthn
  • #​48539 Update WebAuthn Metadata service data authentication/webauthn
  • #​48540 Support icons for Passkeys credentials authentication/webauthn
  • #​48557 Show Groups tab in the account console when user is part of any group account/ui
  • #​48588 Fine Grained Authorization v2 : does not work PUT https://i/admin/realms//admin-permissions/groups/ admin/fine-grained-permissions
  • #​48730 DB documentation doesn't state on how to check the transaction isolation for MSSQL
  • #​48755 User deletion latency grows with Infinispan session-cache fill level / size infinispan
  • #​48863 Include kid in details of CLIENT_LOGIN event of Signed JWT Client Authentication
  • #​48892 SSF: Track if stream was created by Keycloak or ssfReceiver ssf
  • #​48893 SSF: Remove "audience" field from create stream form ssf
  • #​48962 Add suggestions when features are incorrectly specified dist/quarkus
  • #​49037 Expose multi-namespace install modes
  • #​49040 Make `AbstractJWTClientValidator` / `FederatedJWTClientValidator` methods `protected` for extensibility
  • #​49177 Remove explicit --shutdown-timeouts configuration from proxy example configurations
  • #​49235 SSF: Move Push timeout settings to SSF Receiver tab ssf
  • #​49248 Consider additional datasources in health checks
  • #​49348 Ensure proper management of thread-bound resources.
  • #​49372 Unify buttons in horizontal layout for Login UI login/ui
  • #​49378 Login page title should use full width when locale selector is hidden login/ui
  • #​49424 Include subject to email template attributes
  • #​49453 Persistent sessions should be written as part of the original main transaction where possible infinispan
  • #​49469 Stateless mode: store volatile session data in the database
  • #​49491 Full user representation when querying organization members organizations
  • #​49573 Attribute for clients scopes to always require consent token-exchange/subject-impersonation
  • #​49608 Correct themes README
  • #​49645 Organization member read endpoints should document parent-gated org-level authorization contract organizations
  • #​49711 [Login UI] Improve credential selector layout login/ui
  • #​49757 Reverse proxy docs: should not proxy master realm docs
  • #​49873 How to thread dump with and without virtual threads observability
  • #​49947 Add OIDF conformance tests to CI oidc
  • #​49988 Docs should describe on how to detect if a graceful shutdown was successful docs
  • #​50050 SSF: Handle disabled SSF Receiver client ssf
  • #​50087 Generate queryable fields documentation from code docs
  • #​50134 Refresh client data after invalidating rotated secret in Credentials tab
  • #​50261 MCP Documentation for 26.7
  • #​50327 Improve OAuth Identity and Authorization Chaining Across Domains guide
  • #​50369 Composite-role expansion does an N+1 of `getChildRoles` queries (each with an auto-flush) that dominates Keycloak CPU on the cache-miss path core
  • #​50467 Prevent DoS when using complex filter conditions workflows
  • #​50476 Retarget quarkus-next to Quarkus 3.x branch after main switched to 4.0

Bugs

  • #​12142 IdP backchannel logout does not work with session id in logout oidc
  • #​20649 "Not username" and "Not email" options when creating/changing a password, should ignore letter case when comparing password to email or to username authentication
  • #​27431 New clients have a JavaScript default policy configured which causes problems on export/import authorization-services
  • #​32124 Backchannel logout notification client for Update_Password AIA is not having all the session ids authentication
  • #​33204 Identity Providers are missing from the login page if I request a reset password for an existing user login/ui
  • #​35104 Timestamp overflow in client secret rotation feature leads to next refresh time being set to the past core
  • #​37355 Web Crypto API not available in `login-status-iframe.html` when using admin console from insecure context oidc
  • #​38124 High values for client secret expiration result in expiration dates in the past core
  • #​40603 Account UI reports "Something went wrong" if user doesn't have permissions to view applications account/ui
  • #​44591 Terms and Conditions Accepted Timestamp user-profile
  • #​44620 Possible data loss when scaling Keycloak StatefulSet down (on Kubernetes) infinispan
  • #​44741 Device activity does not recognize iOS 26 correct account/ui
  • #​45420 [OID4VCI] Wrong typ value for SD-JWT VC oid4vc
  • #​45494 ScrollForm navigation does not update active section on click or scroll admin/ui
  • #​45568 Pending auth flow waiting for email verification succeeds even after password reset - providing room for pre-account takeover attacks authentication
  • #​45716 Problem with Standard Token Exchange with Dynamic Scopes feature enabled (Wrong default scopes) token-exchange
  • #​46083 "Full scope allowed" toggle reverts to previous state when switching between Scope and Mappers tabs in Dedicated scopes admin/ui
  • #​46088 Newly created resource appears on both current and next page in Authorization Resources tab authorization-services
  • #​46132 profile scope causes NumberFormatException oidc
  • #​46172 Issues when deleting several realms at the same time admin/api
  • #​46463 Input field for device user code is badly formatted login/ui
  • #​46634 Brute force detection counter does not work properly authentication
  • #​46742 Keycloak makes network requests to addresses in login certificates before verifying them authentication
  • #​46926 PAR endpoint enforces “Request Object Required” and expects request_uri oidc
  • #​46954 ClearExpiredEvents job crashes app and locks DB when EVENT_ENTITY Table has large amount of records admin/ui
  • #​46978 Document / validate .conf extension is required for --config-file option dist/quarkus
  • #​47017 Remember me does not work when organization scope is enabled on login session. authentication
  • #​47046 [OID4VCI] Credential definition type should include VerifiableCredential oid4vc
  • #​47061 Duplicated flows can have illegal characters in step name authentication
  • #​47202 DefaultLocaleUpdaterProvider: KEYCLOAK_LOCALE cookie not set for READ_ONLY federated users ldap
  • #​47274 [OID4VCI] Option 'Pre-Authorized code lifespan' should be renamed oid4vc
  • #​47294 Use SecureRandom instead of Random for D-Bus cookie generation in SSSD federation authentication
  • #​47341 Updating client scope fails if it was saved while the dynamic scopes feature was active in the past oidc
  • #​47386 [OID4VCI] TokenResponse requires credential_identifiers in authorization_details
  • #​47421 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionAtSameNode ci
  • #​47432 The cancel button in the custom UiTabProvider encounters an issue where it redirects to an incorrect URL and triggers an error. admin/ui
  • #​47477 Flaky test: org.keycloak.testsuite.forms.AuthenticatorSubflowsTest2#testSubflow2 ci
  • #​47499 Maven windows wrapper trips over whitespace in pathname for setup dependencies
  • #​47500 Build Quarkus snapshots in quarkus-next workflow ci
  • #​47513 Review JwtProofValidator oid4vc
  • #​47523 The name "master" seems to be hard-coded in places and thus breaks KC_SPI_ADMIN_REALM admin/ui
  • #​47545 Keycloak ships source maps for Admin UI and Account UI account/ui
  • #​47560 Missing default value for max parameter in the Admin REST APIs docs docs
  • #​47659 SRCFG01008 warning in source Quarkus dev mode when kc.log-console-output=default (not reproducible via packaged kc.sh) dist/quarkus
  • #​47681 Log Injection and Audit Forgery in OIDC Authorization Endpoint (client_id parameter) oidc
  • #​47700 Duplicate entries created in Role Attributes during concurrent setSingleAttribute calls storage
  • #​47710 updated popover when there is no change admin/ui
  • #​47733 Able to update Identity Provider alias via admin console and API admin/api
  • #​47750 cache-embedded-mtls-enabled maps to a build time property, but is a runtime option dist/quarkus
  • #​47832 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceClientSessionsMultipleNodes ci
  • #​47833 Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testUserRemoved ci
  • #​47834 Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testExpirationDistribution ci
  • #​47835 Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderOfflineModelTest#testOfflineSessionLazyLoadingPropagationBetweenNodes ci
  • #​47898 [OID4VCI] Default client scopes not configured correctly
  • #​47914 Declarative UI: Avoid silent failure to add path params admin/ui
  • #​47923 account-console client can be deleted despite being a built-in internal client admin/api
  • #​47925 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci
  • #​47958 Admin UI Test is logging to the console admin/ui
  • #​47966 Client admin v2 API: service account role management fails for client roles dist/quarkus
  • #​47967 Generated openapi.yaml drifts on incremental builds dist/quarkus
  • #​47970 JDBC_PING2 will stall when in a two-node-split-brain one node dies infinispan
  • #​47978 Flaky test: org.keycloak.testsuite.model.session.UserSessionInitializerTest#testUserSessionPropagationBetweenSites ci
  • #​47979 Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderOfflineModelTest#testOfflineSessionLazyLoading ci
  • #​47990 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci
  • #​47993 Docs: directory of keycloak-database-update.sql file import-export
  • #​48014 [OID4VCI] credential_offer_uri can only be consumed once
  • #​48024 Relax Client ID validation for the Signed JWT - Federated (Kubernetes Service Accounts) oidc
  • #​48035 [OID4VCI] Self-Signed x5c Bypasses Key Attestation Validation oid4vc
  • #​48044 OID4VC QR Code Unbounded Dimensions DoS oid4vc
  • #​48084 Admin console localizate realm name admin/ui
  • #​48119 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#loginWithExistingUserWithBruteForceEnabled ci
  • #​48120 Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderModelTest#testCreateUserSessionsParallel ci
  • #​48121 Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderModelTest#testStreamsMarshalling ci
  • #​48129 Stabilize Operator CI in quarkus-next ci
  • #​48137 Unhandled NullPointerException on Keycloak Server via GET parameter "key" with unsigned JWT oidc
  • #​48173 Maven cache is never extracted on Azure/Aurora VMs ci
  • #​48206 Registration with email verification - corner case scenario for pre-account takeover authentication
  • #​48230 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionsAtRandomNode ci
  • #​48284 UiPageProvider components not refreshed on page change admin/ui
  • #​48357 Restore Quarkus snapshot cache in unit-test-setup for quarkus-next ci
  • #​48366 OpenAPI spec key reordering on incremental builds dist/quarkus
  • #​48392 Migration fails for organization admin roles with LazyInitializationException organizations
  • #​48412 Add option to specify the CA Subject DN in the Client X.509 Authenticator authentication
  • #​48428 Keycloak issues tokens via implicit and hybrid flow when DPoP is enforced for the client oidc
  • #​48441 Flaky test: org.keycloak.testsuite.model.singleUseObject.SingleUseObjectModelTest#testCluster ci
  • #​48442 Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent ci
  • #​48443 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testAuthSessions ci
  • #​48446 Flaky test: org.keycloak.testsuite.authz.PolicyEvaluationTest# ci
  • #​48456 Account Console v3: Cannot revoke consent for clients with URL-based or special character clientIds (Regression of #​19515) account/ui
  • #​48458 Read-only multivalued user profile attributes are not grayed out in the account console user-profile
  • #​48459 Role update failes when no name is set admin/api
  • #​48487 Improper Authentication for required actions allows front-channel token issuance for disabled user in implicit/hybrid flow oidc
  • #​48514 Permission issue prevents user with manage-identity-provider role to access "realm roles" list when adding hardcoded role mapper admin/ui
  • #​48559 [quarkus-next] Model tests fail due to ByteBuddy removal from Hibernate runtime classpath dist/quarkus
  • #​48561 Quarkus UT (windows-latest) cancelled when ubuntu variant fails ci
  • #​48566 Admin console assets 404 in 26.6.x: quay.io/keycloak/keycloak:26.6 ships /opt/keycloak/data/tmp as root:root 0755, blocking gzip cache creation dist/quarkus
  • #​48589 Test framework startup timeout is ignored in DockerKeycloakDistribution testsuite
  • #​48592 Keycloak does an LDAP query with service account UUID when a token from a service account is used for obtaining a Requesting Party Token from a client with Authorization services authorization-services
  • #​48593 Management endpoint doesn't pick up HTTPS truststore dist/quarkus
  • #​48594 [quarkus-next] Aurora CI fails with missing quarkus-bom:999-SNAPSHOT on remote EC2 VM storage
  • #​48598 HttpDistTest.maxQueuedRequestsTest fails on runners with limited vCPUs ci
  • #​48610 Neither `INVITE_ORG` nor `REGISTER` event is triggered when a new user is invited to an organization organizations
  • #​48611 Docs: server_admin/topics/overview/how.adoc SAML 2.0 link is broken saml
  • #​48634 Verify Email gets added to all the users in the realm and blocks getting a REST Token authentication
  • #​48645 `ORGANIZATION_MEMBERSHIP` event with `ACTION` operation is missing `representation` and `detail` fields admin/api
  • #​48647 Flaky test: org.keycloak.testsuite.forms.RPInitiatedFrontChannelLogoutTest#testFrontChannelLogoutWithoutSessionRequired ci
  • #​48654 OrganizationProvider.count() used for existence checks causes severe database lag with large realms organizations
  • #​48666 User Storage Task sync event can lead to deadlocks and outdated information storage
  • #​48680 Realm display name localization placeholder is not expanded when resolving OTP issuer name authentication
  • #​48721 Introspect endpoint returns "invalid_request" instead of "invalid_client" on client authentication failure (RFC 7662) oidc
  • #​48749 Prevent setting different than default decisionStrategy for FGAP admin/fine-grained-permissions
  • #​48771 Identity Provider detail settings allow saving without changes admin/ui
  • #​48812 AutoUpdate force recreate operator
  • #​48834 NPE in `OrganizationGroupMembershipMapper` when no `organization` scope is requested organizations
  • #​48862 Flaky test: org.keycloak.testsuite.broker.OidcAdvancedClaimToGroupMapperTest#mapperStillWorksWhenTopLevelGroupIsConvertedToSubGroup ci
  • #​48868 OIDC bearer-only legacy clients lose client secret after updating basic attributes (name/description) on Keycloak 23 oidc
  • #​48882 Save button on "Create organization" page is not enabled when name is pasted from clipboard admin/ui
  • #​48903 Regression: forced organization validation in 26.6 even without taking Organizations feature into use organizations
  • #​48917 Missing locale keys in Organization Membership protocol mapper admin/ui
  • #​48920 Test framework startup timeout is hardcoded to 5 minutes testsuite
  • #​48949 JS CI is failing in the Admin UI lint check admin/ui
  • #​49026 Admin UI: Enter key does not trigger search in Organization Members, Invitations, and User Organizations admin/ui
  • #​49057 Migration-strategy=manual bypasses DBA workflow for custom providers (re-opening #​36525) dist/quarkus
  • #​49063 Authorization Evaluate results page hides the last resource behind the action bar authorization-services
  • #​49069 Missing and incorrect permission checks on organization invitation endpoints organizations
  • #​49083 Error while removing expired entries from database storage
  • #​49139 Starting FIPS mode in 26.6.1 fails with NoSuchAlgorithmException core
  • #​49146 Quick theme login style broken admin/ui
  • #​49176 SCIM: Incorrect location URL scim
  • #​49180 Unable to easily provide full certificate chain with HaProxySslClientCertificateLookup authentication
  • #​49185 HttpResponse.setStatus is not generally usable
  • #​49189 LDAP: objectGUID binary attribute not converting to Base64/String in version 26.6.1 and 26.6.2 ldap
  • #​49192 Compilation error because of setSystemPropertyOnServer testsuite
  • #​49249 Deprecate KeycloakContext.getRequestHeaders
  • #​49250 SSF: auto-notify-on-login fails with ReadOnlyException for users from a read-only LDAP federation ssf
  • #​49255 PAR authorization request with prompt=create does not open registration page oidc
  • #​49256 Oracle database ignores db-url-properties dist/quarkus
  • #​49257 Identity provider broker callback returns HTTP 502 for client-side input validation failures (missing state, missing code) identity-brokering
  • #​49267 JPA exception mapper swallows some intermediate exceptions dist/quarkus
  • #​49272 ReadOnlyAttributeUnchangedValidator.isUnchanged() does not handle omitted read-only attributes user-profile
  • #​49310 Backoff retry does not honor the timeout core
  • #​49342 Client secret rotation feature. Client Secret and Secret Rotated are always the same oidc
  • #​49388 Dynamic scopes do not work with CIBA oidc
  • #​49441 mutual-tls guide references wrong option docs
  • #​49451 UI allows invalid role-ldap-mapper configuration when "Use Realm Roles Mapping" is enabled together with Client ID selection. admin/ui
  • #​49452 Admin UI: Workflows menu link visible to users without sufficient permissions to use it admin/ui
  • #​49456 [CIMD] secure-redirect-uris-enforcer is not enforced for CIMD public clients during authorization requests oidc
  • #​49457 [CIMD] Client policy executor auto-configuration is not applied when a public client is created through CIMD oidc
  • #​49481 admin-client: TokenResponse.expiresIn typed as string but Keycloak returns a number admin/client-js
  • #​49490 [SAST] Dead local stores (Batch 2) core
  • #​49495 [SAST] Unchecked negative value in `readInteger()` authorization-services
  • #​49517 French translation for credentials related events are incorrect translations
  • #​49550 MySQL migration fail due to group replication enforcing PK for `CREATE TABLE ... AS SELECT` storage
  • #​49571 FilterUtils.unescapeJsonString() incorrectly decodes escaped backslash sequences scim
  • #​49575 [OID4VCI] Account console "Issue to Wallet" does not work when scope-name different than credential-config-id account/ui
  • #​49577 Azure/Aurora "Upload flaky tests" fails with 409 Conflict on duplicate artifact name ci
  • #​49612 keycloak-admin-client logs errors to the console in fetchWithError admin/client-js
  • #​49644 ExportImportTest is unstable in the windows tests testsuite
  • #​49674 Deleting admin-permissions client via v1 Admin API returns unknown_error instead of descriptive validation error admin/fine-grained-permissions
  • #​49702 UserSelect component limits the search results during autocompletion lookup authorization-services
  • #​49718 FreeMarkerLoginFormsProvider: handleThemeResources called twice per request due to getMessage() in createCommonAttributes login/ui
  • #​49720 Organization managed users should not be allowed to link other idps from the account console identity-brokering
  • #​49723 FIPS tests are broken in CI testsuite
  • #​49730 `--features=cimd` should add `none` to token_endpoint_auth_methods_supported oidc
  • #​49732 26.6.2 upgrade: `Cannot invoke "org.keycloak.authorization.model.Resource.getScopes()" because "resourceTypeResource" is null` dist/quarkus
  • #​49742 Simplified/ Traditional Chinese is displayed twice in locale selector translations
  • #​49762 NPE in MgmtPermissions.isRealmAdmin() when using AdminPermissions.evaluator() with FGAP V2 enabled admin/fine-grained-permissions
  • #​49793 OIDC: Client secret generation should ensure sufficient entropy for all configured HMAC signature algorithms oidc
  • #​49830 26.6.x upgrade runs unbounded OFFLINE_CLIENT_SESSION REALM_ID backfill, blocking startup on large data sets storage
  • #​49841 SCIM: ServiceProviderConfig endpoint returns filter.maxResults: 0 instead of 100
  • #​49847 SCIM endpoint returns 500 instead of 404 for unknown resource types scim
  • #​49869 Fix KcAdmV2EditCLITest.testEditNonExistentResource assertion when client is not found admin/cli
  • #​49908 Admin Console sessions page fails with unknown_error when federated user is deleted while an active session still exists storage
  • #​49909 Invalid token at openid connection client registration results in 500 instead of 401 authentication
  • #​49952 TokenManager.isValidScope overload ignores provided AuthorizationRequestContext (incomplete #​49388 refactor) token-exchange
  • #​49960 Brute-force detection: Authenticated session token refresh resets lockout counter authentication
  • #​49969 UserInfoEndpoint throws NullPointerException (HTTP 500) for JWTs with null or missing alg header oidc
  • #​49972 SSF Stream empty state shows extra text and refresh button admin/ui
  • #​49973 SCIM endpoint returns 500 instead of 401 for unauthenticated requests scim
  • #​49978 Kubernetes identity provider does not use documented default issuer
  • #​50014 Binding authentication flow leads to "flow.undefined" showing in admin ui authentication
  • #​50039 Creating a client with empty `redirectUris` or `webOrigins` causes ORA-01400 (NULL insert) on Oracle database core
  • #​50054 Warning of deprecated feature enabled dist/quarkus
  • #​50063 Unable to invite user to organization when their email is a substring of an already-invited email organizations
  • #​50092 Events search type filters don't filter while typing admin/ui
  • #​50128 kcw: line 109: cd: /home/myuser/Downloads: No such file or directory
  • #​50136 StackOverflowError when trying to reset Password of OrganizationUser with FGAP authorization-services
  • #​50139 Client Secret Rotation docs incorrectly mark feature as experimental instead of preview docs
  • #​50175 `KcAdmV2ClientCLITest#testListClientsWithFieldsProjection` is failing as query param cannot be exploded anymore admin/cli
  • #​50177 SAML client creation fails with "Error creating X509v1Certificate" when Client ID contains URL query string characters saml
  • #​50191 Admin UI dynamic Group provider config crashes without GroupsResourceContext in 26.6.3 admin/ui
  • #​50195 Admin UI E2E realm-settings/general.spec.ts "realm enable/disable switch" failure testsuite
  • #​50201 LDAP user federation re-binds the service account on every operation since 26.6.0 (connection pool not reused) ldap
  • #​50268 `TokenManager#invokeTokenPostProcessors` doesn't respect `ProviderFactory#order` oidc
  • #​50286 ConcurrentModificationException reading client-registration policy config under parallel client registration oidc
  • #​50291 PathMatcher.buildUriFromTemplate throws StringIndexOutOfBoundsException for a template with an unclosed brace authorization-services
  • #​50300 TimeSelector clears input and switches units when value is 0 in Admin Console authentication
  • #​50308 NumberFormatException for PAR request URI lifespan admin/api
  • #​50353 Broken reference in rolling updates guide docs
  • #​50380 Workflow state removeAll() deletes records across all realms on realm removal workflows
  • #​50439 Base2 testsuite (new) often fails with timeout ci
  • #​50484 [quarkus-next] Config interceptors create SmallRyeConfig during test bootstrap causing ServiceConfigurationError dist/quarkus
  • #​50500 User Attribute mapper clears the value when custom attribute is selected admin/ui
  • #​50515 Kotlin jars are included unnecessarily in the server assembly dist/quarkus
  • #​50582 Keycloak 26.x Operator Fails to import a realm if the maxSecondaryAuthFailures field is present
  • #​50633 web-crypto-shim does not work after upgrade to uuid 14 authentication
  • #​50712 Source and javadoc jars not generated core

v26.6.4

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #​50344 CVE-2026-9099 Keycloak: group-admin escalation to realm-admin
  • #​50345 CVE-2026-9083 Keycloak: keycloak: information disclosure through arbitrary filesystem path probing
  • #​50347 CVE-2026-9086 Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass
  • #​50349 CVE-2026-9705 Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token
  • #​50350 CVE-2026-9795 Keycloak: keycloak: privilege escalation via improper scope mapping enforcement
  • #​50351 CVE-2026-9799 Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass
  • #​50352 CVE-2026-9800 Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison
  • #​50357 CVE-2026-11800 Keycloak: Authentication bypass via JWT algorithm confusion

Enhancements

Bugs

  • #​47999 [Keycloak JavaScript CI] - Build Keycloak ci
  • #​49639 Keycloak Admin Client tests fails in CI ci
  • #​49700 Incorrect migration guide reference docs
  • #​49707 Cannot build project due to ISPN protoschema and 26.2 branch infinispan
  • #​49733 keycloak-api-docs-dist is not deployable dist/quarkus

v26.6.3

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #​47707 CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names account/ui
  • #​47935 [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation oidc
  • #​48036 [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint authorization-services
  • #​48709 [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled account/api
  • #​48805 CVE-2026-42581 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
  • #​49118 [CVE-2026-8922] OIDC token introspection ignores realm-level notBefore when client-level notBefore is set oidc
  • #​49133 [CVE-2026-8830] Missing server-side WebAuthn validations during credential registration authentication/webauthn
  • #​49174 [CVE-2026-9088] Group Members Endpoint Bypasses User Profile Permissions admin/fine-grained-permissions
  • #​49175 [CVE-2026-9087] Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login identity-brokering
  • #​49426 [CVE-2026-9802] Server restart resets startupTime, allowing reuse of rotated refresh tokens when revokeRefreshToken=true oidc
  • #​49428 [CVE-2026-9794] SAML ECP faultstring discloses client existence and configuration state saml
  • #​49431 [CVE-2026-9791] Organization data exposed in tokens and account API when Organizations feature is disabled at realm level organizations
  • #​49433 [CVE-2026-0707] ClientRegistrationAuth DoS via malformed Authorization header (CVE-2026-0707 incomplete fix) admin/api
  • #​49434 [CVE-2026-9801] DoS in LDAP federation via malformed PasswordPolicyControl ldap
  • #​49435 [CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange oidc
  • #​49436 [CVE-2026-9792] ROPC grant bypass in client policy enforcement oidc

Weaknesses

  • #​48978 UNSAFE_PATH_PATTERN regex to cover percent-encoded terminators and control characters oidc
  • #​48986 Authorization Services: NullPointerException in UMA permission grant when stale permission ticket references removed scope authorization-services
  • #​48987 Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting authorization-services
  • #​49086 Account resource sharing resolves recipient by username before email, granting access to wrong user authorization-services

Enhancements

  • #​48311 Upgrade to Quarkus 3.33.2 dist/quarkus
  • #​48695 Add startup check for missing database indexes
  • #​49148 Add SPI option to disable FD_SOCK2 failure detection
  • #​49526 Update to simple-git 3.36.0
  • #​49530 Update to uuid >=13.0.1

Bugs

  • #​45957 Handling of CORS requests in the Admin UI ineffective / open for CSRF admin/ui
  • #​47036 Account ResourceService user endpoint returns excessive user data in UMA-enabled realms core
  • #​48324 UMA IS_ADMIN filter breaks ticket finding authorization-services
  • #​48430 Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname oidc
  • #​48432 ClientAdapter using wrong value for isFrontChannelLogout oidc
  • #​48438 Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted core
  • #​48455 ContextNotActiveException during error handling core
  • #​48464 Incomplete SCIM schema definition for objects scim
  • #​48529 Broken downstream docs formatting on Kubernetes topic docs
  • #​48584 Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation core
  • #​48628 Client registerNode and unregisterNode endpoints fail authenticating the client core
  • #​48681 ExternalLinksTest: oasis-open.org/standard/saml/ returns 403 in CI causing flaky documentation check ci
  • #​48716 Missing index IDX_IDP_FOR_LOGIN and IDX_CLIENT_ATT_BY_NAME_VALUE for Microsoft SQL Server core
  • #​48744 Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication authentication
  • #​48792 Virtual Thread checking is not working infinispan
  • #​48806 NPE when accessing Account UI and the ACCOUNT feature is disabled account/api
  • #​48877 Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset ldap
  • #​48904 Consistent 500 on DELETE of realms via non-browser clients calling REST API admin/api
  • #​49058 Keycloak fails to run tests with embedded undertow dist/quarkus
  • #​49140 Workflows documentation: offboarding example is incorrectly enclosing the list of revoked roles with double quotes workflows
  • #​49149 Disable single thread sender in JGroups infinispan
  • #​49151 FIPS jobs fail in CI because java-25-openjdk-devel package is missing testsuite
  • #​49163 Enable JGroups message stats infinispan
  • #​49194 Use Java 25 again for FIPS jobs testsuite
  • #​49222 Incorrect link to Themes documentation docs
  • #​49224 Broken links in UI Customization Guide docs
  • #​49263 Use the PostgreSQL driver privacy option `logServerErrorDetail` dist/quarkus
  • #​49265 Since Hibernate 7, the workaround to not log-and-throw Hibernate errors does not longer work dist/quarkus
  • #​49274 JavaScript CI hangs when installing playwright testsuite
  • #​49288 Link issue in the documentation for https://www.rfc-editor.org/rfc/rfc7662 docs
  • #​49356 SAML async processing leaves a dangling threadlocal transaction dist/quarkus
  • #​49611 Realm extensions require Bearer or Drop authorisation admin/api

v26.6.2

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #​47485 CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service
  • #​47486 CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing
  • #​47932 [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters authorization-services
  • #​48049 [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler organizations
  • #​48275 CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules core
  • #​48388 [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration authentication/webauthn
  • #​48570 [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs core
  • #​49108 [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint
  • #​49109 [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak
  • #​49110 [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data
  • #​49111 [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover
  • #​49112 [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account
  • #​49113 [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens
  • #​49114 [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission
  • #​49115 [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access)
  • #​49116 [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration

Enhancements

  • #​47728 Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide
  • #​47734 Add dedicated "Monitoring Standbys" section to the general installation documentation
  • #​48329 JDBC_PING in 26.6 should not fail with 26.7 schema changes
  • #​48348 Escape expressions in JS blocks in FTL pages
  • #​48687 Upgrade to Quarkus 3.33.1.1

Bugs

  • #​38526 Duplicate user attribute values cannot be removed core
  • #​40602 Account UI reports "Something went wrong" when opening an unknown path account/ui
  • #​47882 Broken link in deploy-cnpg docs
  • #​47901 Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled admin/fine-grained-permissions
  • #​47915 FreeMarker templates allow instantiation of new objects and even running OS commands login/ui
  • #​47987 FGAP v2 Specific Group permission has no scopes found in resource admin/fine-grained-permissions
  • #​48030 Update to operator version 26.6.0 needs deletion of all objects operator
  • #​48040 User session limit generates fatal error authentication
  • #​48094 Wrong referenced resource type in Workflow handling for clients core
  • #​48123 Clarify canonicalization in X.509 authentication authentication
  • #​48143 Ordering of permission and policy calls leads to exposure of a client ID admin/api
  • #​48185 Deleted workflow still attempting to run workflows
  • #​48241 JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title authentication
  • #​48259 Kubernetes identity providers docs still mention it to be a preview feature docs
  • #​48313 No escape approach for JS code inside the front channel logout FTL login/ui
  • #​48536 Review migration guide for rolling updates changes workflows
  • #​48629 WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout ci

v26.6.1

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #​47276 CVE-2026-4366 Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling core
  • #​47619 CVE-2026-4633 Keycloak user enumeration via identity-first login core

Enhancements

Bugs

  • #​47435 AuroraDB IT CI workflow not cleaning up databases testsuite
  • #​47737 deploy-testsuite profile is incomplete, causing discrete testsuite execution to fail testsuite
  • #​47776 False session type of access token in offline_access refresh token flow with scope parameter without offline_access scope oidc
  • #​47827 az vm create fails with JSON parsing error ci
  • #​47872 v26.6.0 Operator flood logs with warnings operator
  • #​47889 Not possible to sync latest keycloak-admin-client to keycloak-client admin/client-java
  • #​47904 @​keycloak/keycloak-admin-client fails to install in version 26.6.0 admin/client-js
  • #​47905 invalid package reference in keycloak-admin-ui admin/ui
  • #​47908 MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication organizations
  • #​47929 User profile multiselect options not highlighted as selected in dropdown admin/ui
  • #​47955 IdentityProviderAuthenticator creates an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint identity-brokering
  • #​48015 Missing explicit docs anchor for organizations docs
  • #​48032 Endpoint Response Text during Bootstrap contains Typo: Boostrap dist/quarkus

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [quay.io/keycloak/keycloak](https://github.com/keycloak-rel/keycloak-rel) | | minor | `26.6.0` → `26.7.0` | ![age](https://developer.mend.io/api/mc/badges/age/docker/quay.io%2fkeycloak%2fkeycloak/26.7.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/docker/quay.io%2fkeycloak%2fkeycloak/26.6.0/26.7.0?slim=true) | | [org.keycloak:keycloak-parent](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | import | minor | `26.6.0` → `26.7.0` | ![age](https://developer.mend.io/api/mc/badges/age/maven/org.keycloak:keycloak-parent/26.7.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.keycloak:keycloak-parent/26.6.0/26.7.0?slim=true) | --- ### Release Notes <details> <summary>keycloak/keycloak (org.keycloak:keycloak-parent)</summary> ### [`v26.7.0`](https://github.com/keycloak/keycloak/releases/tag/26.7.0) [Compare Source](https://github.com/keycloak/keycloak/compare/26.6.4...26.7.0) <div> <h2>Highlights</h2> <div class="paragraph"> <p>This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:</p> </div> <div class="ulist"> <ul> <li> <p>Automate user provisioning with the SCIM API (preview)</p> </li> <li> <p>Simplified multi-cluster high availability without external caches (preview)</p> </li> <li> <p>Enhanced reverse proxy guides with blueprints for HAProxy and Traefik</p> </li> <li> <p>Step-up authentication for SAML clients</p> </li> </ul> </div> <div class="paragraph"> <p>Read on to learn more about each new feature. If you are upgrading from a previous release, <a href="https://www.keycloak.org/docs/latest/upgrading/index.html">also review the changes listed in the upgrading guide</a>.</p> </div> <div class="sect2"> <h3 id="_security_and_standards">Security and Standards</h3> <div class="sect3"> <h4 id="_stronger_security_for_the_identity_brokering_api">Stronger security for the Identity Brokering API</h4> <div class="paragraph"> <p>The Identity Brokering API allows applications to retrieve tokens obtained from external identity providers during federated login. Version 2 of this API replaces the legacy V1 with a more secure and standards-compliant design:</p> </div> <div class="ulist"> <ul> <li> <p><strong>Client-level authorization</strong> — access to external tokens is controlled per client using dedicated settings (<strong>Allow retrieve external tokens</strong> and an identity provider allow list) instead of assigning broker roles to individual users.</p> </li> <li> <p><strong>Confidential clients only</strong> — public clients are rejected, ensuring that only authenticated clients can retrieve external tokens.</p> </li> <li> <p><strong>OAuth 2.0 compliant</strong> — the endpoint uses <code>POST</code> and returns standard JSON responses with <code>access_token</code>, <code>error</code>, and <code>error_description</code> fields.</p> </li> <li> <p><strong>Session-based token storage</strong> — a new <strong>Store token in session</strong> option keeps tokens in the user session for faster access, with automatic cleanup on session expiry. Database storage remains available for persistence across sessions.</p> </li> </ul> </div> <div class="paragraph"> <p>V2 is now supported but disabled by default. V1 is deprecated but still enabled by default for backward compatibility. In a future release, V1 will be removed and V2 will become the default.</p> </div> <div class="paragraph"> <p>For more information, see the <a href="https://www.keycloak.org/docs/26.7.0/server_development/#_identity-brokering-apis">Identity Brokering APIs</a> chapter in the Server Developer Guide.</p> </div> </div> <div class="sect3"> <h4 id="_progress_on_verifiable_credentials_oid4vci_experimental">Progress on Verifiable Credentials (OID4VCI) (experimental)</h4> <div class="paragraph"> <p><a href="https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html">Verifiable Credentials (OID4VCI)</a> allow organizations to issue tamper-proof, cryptographically signed credentials — such as employee badges, academic diplomas, or professional certifications — that users can store in a digital wallet and present to third parties without involving the issuer.</p> </div> <div class="paragraph"> <p>OID4VCI remains an experimental feature in Keycloak, but this release brings substantial improvements from both the core team and the community:</p> </div> <div class="ulist"> <ul> <li> <p>Polishing of existing functionality and improving configuration. Everything is now configurable in the admin UI in addition to the admin REST API.</p> </li> <li> <p>Lots of bugs fixed. Improved specification compliance.</p> </li> <li> <p>Conformance with the <a href="https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-1_0.html">OpenID4VC High Assurance Interoperability Profile (HAIP)</a>. This work involves the introduction of the dedicated Keycloak experimental feature <code>client-auth-abca</code> for <a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-attestation-based-client-auth-07">Attestation based client authentication (ABCA)</a>.</p> </li> <li> <p>Management of verifiable credentials for individual users. This involves the ability for an administrator to create a verifiable credential for a user to indicate that this user can retrieve a verifiable credential, as well as the ability for users to start issuance of a verifiable credential from the Keycloak account console.</p> </li> <li> <p><a href="https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-pre-authorized-code-flow">Pre-authorized code grant</a> support is still experimental and was moved to the dedicated experimental feature <code>oid4vc-vci-preauth-code</code></p> </li> <li> <p>Support for credential refresh interval. Administrators can now configure a separate refresh interval (<code>vc.refresh_interval_in_seconds</code>) in the client scope settings that controls how often wallets must refresh the credential, independent of the credential lifetime. When not explicitly set, defaults to 7 days or the credential lifetime, whichever is smaller. This enables regular credential rotation for enhanced security while maintaining user convenience through automatic refresh using the refresh token. For more information, see the <a href="https://www.keycloak.org/docs/26.7.0/server_admin/#_oid4vci_client_scope">Create Client Scopes with Mappers</a> section in the OID4VCI configuration guide.</p> </li> <li> <p>Documentation updated and improved</p> </li> </ul> </div> <div class="paragraph"> <p>Many community members were involved in the development. Many thanks to <a href="https://github.com/Awambeng">Awambeng</a>, <a href="https://github.com/Captain-P-Goldfish">Pascal Knüppel</a>, <a href="https://github.com/dominikschlosser">Dominik Schlosser</a>, <a href="https://github.com/forkimenjeckayang">forkimenjeckayang</a>, <a href="https://github.com/IngridPuppet">Ingrid Kamga</a>, <a href="https://github.com/keshavprashantdeshpande">Keshav Deshpande</a>, <a href="https://github.com/namanONcode">Naman Jain</a>, <a href="https://github.com/officialasishkumar">Asish Kumar</a>, <a href="https://github.com/Ogenbertrand">Ogen Bertrand</a>, <a href="https://github.com/Oluwatobi-Mustapha">Oluwatobi Mustapha</a>, <a href="https://github.com/pulsastrix">Hugo Hakim Damer</a>, <a href="https://github.com/rameshkumarkoyya">rameshkumarkoyya</a>, <a href="https://github.com/tdiesler">Thomas Diesler</a> and <a href="https://github.com/Vitalisn4">Palpable</a> for the contributions!</p> </div> </div> <div class="sect3"> <h4 id="_cross_domain_token_exchange_with_identity_assertion_jwt_grant_experimental">Cross-domain token exchange with Identity Assertion JWT Grant (experimental)</h4> <div class="paragraph"> <p>When two organizations each run their own authorization server, users often need to re-authenticate when crossing between them — even though their identity was already verified. The <a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-assertion-authz-grant">Identity Assertion JWT Authorization Grant (ID-JAG)</a> solves this by allowing one authorization server to present a signed identity assertion to another, which then issues an access token without requiring the user to log in again.</p> </div> <div class="paragraph"> <p>Keycloak provides partial experimental support for the Identity Assertion JWT Authorization Grant. It currently implements only the receiving authorization server role, accepting ID-JAG assertions at the token endpoint and issuing access tokens in return. Other parts of the ID-JAG specification are not yet implemented, so the complete flow is not currently supported.</p> </div> <div class="paragraph"> <p>To try it out, start Keycloak with the feature <code>identity-assertion-jwt</code> enabled.</p> </div> <div class="paragraph"> <p>Many thanks to <a href="https://github.com/bucchi">Yutaka Obuchi</a> for the contribution of this feature!</p> </div> </div> <div class="sect3"> <h4 id="_automate_user_provisioning_with_the_scim_api_preview">Automate user provisioning with the SCIM API (preview)</h4> <div class="paragraph"> <p><a href="https://datatracker.ietf.org/doc/html/rfc7644">SCIM</a> (System for Cross-domain Identity Management) is a standard protocol for reading and writing identity resources such as users and groups across multiple systems. It enables organizations to automate user provisioning and deprovisioning using widely available tooling — for example, integrating with identity governance platforms, HR systems, or other identity providers.</p> </div> <div class="paragraph"> <p>Keycloak has SCIM APIs for managing users and groups within a realm. The implementation covers full CRUD and PATCH operations, filtering and pagination, schema extensions including the Enterprise User extension, and schema discovery endpoints.</p> </div> <div class="paragraph"> <p>In this release, the SCIM API is being promoted to a preview feature. In the default profile it is disabled by default; to try it out, enable the <code>scim-api</code> feature.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/docs/26.7.0/server_admin/#_managing_scim">Managing users and groups through SCIM</a> documentation.</p> </div> </div> <div class="sect3"> <h4 id="_real_time_security_signals_to_downstream_applications_experimental">Real-time security signals to downstream applications (experimental)</h4> <div class="paragraph"> <p>When a user logs out, changes credentials, or gets disabled in Keycloak, downstream applications typically don&#&#8203;8217;t learn about it until the next token refresh — leaving a window where stale sessions remain active. The <a href="https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html">OpenID Shared Signals Framework (SSF)</a> closes this gap by letting identity providers push security events to relying parties in near real time.</p> </div> <div class="paragraph"> <p>Keycloak can now act as an SSF Transmitter, delivering signed <a href="https://www.rfc-editor.org/info/rfc8417/">Security Event Tokens (SETs)</a> to registered receivers. It supports <a href="https://openid.net/specs/openid-caep-1_0-final.html">CAEP 1.0</a> and <a href="https://openid.net/specs/openid-risc-1_0-final.html">RISC 1.0</a> event profiles with both push (<a href="https://www.rfc-editor.org/info/rfc8935/">RFC 8935</a>) and poll (<a href="https://www.rfc-editor.org/info/rfc8936/">RFC 8936</a>) delivery methods. Events are persisted to a durable outbox so that no signal is lost across restarts, and a cluster-aware background drainer handles retries and exponential backoff. Each realm can opt in individually, and streams, subjects, and event types are managed through the admin console and REST API.</p> </div> <div class="paragraph"> <p>To enable SSF, start Keycloak with the feature <code>ssf</code> enabled.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/securing-apps/ssf-support">Shared Signals Framework</a> guide.</p> </div> </div> <div class="sect3"> <h4 id="_standardized_authorization_decisions_with_authzen_experimental">Standardized authorization decisions with AuthZen (experimental)</h4> <div class="paragraph"> <p>Applications that need fine-grained authorization typically call Keycloak&#&#8203;8217;s proprietary authorization API, coupling them to its internal model. The <a href="https://openid.net/specs/authorization-api-1_0.html">OpenID AuthZEN Authorization API 1.0</a> defines a vendor-neutral protocol between Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs), enabling applications to request authorization decisions through a standard interface.</p> </div> <div class="paragraph"> <p>Keycloak now implements the AuthZEN Evaluation API as a PDP. Applications send evaluation requests describing a subject, resource, and action, and Keycloak returns a permit or deny decision based on its configured authorization policies. Both single and batch evaluation endpoints are available.</p> </div> <div class="paragraph"> <p>To enable AuthZen, start Keycloak with the feature <code>authzen</code> enabled.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/securing-apps/authzen-authorization">AuthZen Authorization</a> guide.</p> </div> </div> <div class="sect3"> <h4 id="_authorize_ai_tools_and_mcp_servers">Authorize AI tools and MCP servers</h4> <div class="paragraph"> <p>The Model Context Protocol (MCP) is becoming the standard way for AI applications to connect to external tools and data sources. As MCP adoption grows, securing these connections with proper OAuth 2.0 authorization is critical.</p> </div> <div class="paragraph"> <p>Keycloak continues to improve its MCP authorization server capabilities. This release adds integration documentation for Claude Code as an MCP client, alongside the existing Visual Studio Code integration. Both use OAuth Client ID Metadata Document (CIMD) for dynamic client registration with PKCE-secured public client flows and localhost callbacks.</p> </div> <div class="paragraph"> <p>For setup instructions, see the <a href="https://www.keycloak.org/securing-apps/mcp-authz-server">Integrating with Model Context Protocol (MCP)</a> guide.</p> </div> </div> <div class="sect3"> <h4 id="_delegate_access_across_services_with_token_exchange_delegation_experimental">Delegate access across services with Token Exchange Delegation (experimental)</h4> <div class="paragraph"> <p>In multi-service architectures, a backend service sometimes needs to act on behalf of a user at another service — for example, when a gateway delegates work to a downstream API. Standard Token Exchange handles client-to-client token swaps, but verifying that the requester is authorized to impersonate a specific user requires additional checks.</p> </div> <div class="paragraph"> <p>Keycloak introduces token exchange delegation as an experimental feature. It adds a new <code>delegation</code> parameterized scope type that validates whether the requesting user is authorized to act on behalf of the target user before the exchange is granted. The delegation scope requires user consent and is automatically reassessed on token refresh, so revoked impersonation rights take effect immediately.</p> </div> <div class="paragraph"> <p>To enable token exchange delegation, start Keycloak with the feature <code>token-exchange-delegation</code> enabled.</p> </div> </div> <div class="sect3"> <h4 id="_step_up_authentication_for_saml_clients">Step-up authentication for SAML clients</h4> <div class="paragraph"> <p>Step-up authentication allows applications to require a stronger level of authentication for sensitive operations. Previously, this capability was only available for OpenID Connect clients.</p> </div> <div class="paragraph"> <p>Keycloak now extends step-up authentication to the SAML protocol, enabling SAML service providers to request a specific authentication context class in their authentication requests. The feature <code>step-up-authentication-saml</code> has been promoted from preview to supported in this release.</p> </div> <div class="paragraph"> <p>For more information, see the <a href="https://www.keycloak.org/docs/26.7.0/server_admin/#_step-up-authentication-saml">Server Administration Guide</a>.</p> </div> </div> </div> <div class="sect2"> <h3 id="_administration">Administration</h3> <div class="sect3"> <h4 id="_declarative_client_management_with_admin_api_v2_experimental">Declarative client management with Admin API v2 (experimental)</h4> <div class="paragraph"> <p>Keycloak introduces a new REST API for managing OIDC and SAML clients. The new API provides strict validation, support for declarative configuration, and an accurate OpenAPI specification that enables reliable client generation. This addresses long-standing limitations of the original Admin REST API. This is the first resource in the Admin API v2, with additional resources to follow in future releases.</p> </div> <div class="paragraph"> <p>The API can be consumed through a Java client, an auto-generated JavaScript client, and a CLI. The Keycloak Operator uses it to manage clients declaratively via <code>KeycloakOIDCClient</code> and <code>KeycloakSAMLClient</code> custom resources.</p> </div> <div class="paragraph"> <p>Enabling this feature also enables the OpenAPI specification endpoint on the management interface, which the CLI uses to adapt its commands to the connected server version.</p> </div> <div class="paragraph"> <p>To try it out, enable the <code>client-admin-api:v2</code> feature.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/nightly/admin-api/admin-api-v2">Admin API v2</a> guide and the <a href="https://www.keycloak.org/nightly/operator/managing-clients">Managing Keycloak Clients</a> operator guide. Feedback is welcome in the <a href="https://github.com/keycloak/keycloak/discussions/50186">Client Admin API v2</a> GitHub Discussion.</p> </div> <div class="paragraph"> <p>Thanks to <a href="https://github.com/robson90">Robin Meese</a> for contributing the OpenAPI endpoint on the management interface and the Java admin client, and to <a href="https://github.com/sschu">Sebastian Schuster</a> for his participation in the Admin API working group and the Go client analysis.</p> </div> </div> <div class="sect3"> <h4 id="_fine_grained_delegation_for_organization_administration">Fine-grained delegation for organization administration</h4> <div class="paragraph"> <p>Managing organizations in Keycloak previously required the <code>manage-realm</code> role — a high-privilege role that grants far more access than most organization administrators need. This release introduces dedicated admin roles and Fine-Grained Admin Permissions for organizations, allowing administrators to delegate organization management without over-provisioning access.</p> </div> <div class="paragraph"> <p>New realm admin roles provide coarse-grained delegation:</p> </div> <div class="ulist"> <ul> <li> <p><code>manage-organizations</code> — grants full read and write access to organizations, including creating, updating, and deleting organizations and their members.</p> </li> <li> <p><code>view-organizations</code> — grants read-only access to organizations and their members (also requires <code>view-users</code> or Fine-Grained Admin Permissions for user visibility).</p> </li> <li> <p><code>query-organizations</code> — grants the ability to search and list organizations without full view access, consistent with the <code>query-users</code> / <code>query-clients</code> / <code>query-groups</code> pattern.</p> </li> </ul> </div> <div class="paragraph"> <p>The <code>manage-realm</code> role continues to implicitly grant full organization management access for backward compatibility.</p> </div> <div class="paragraph"> <p>For per-organization granularity, organizations are now a first-class resource type in Fine-Grained Admin Permissions. Administrators can create permissions to control which specific organizations a delegated administrator can view or manage — for example, granting access to manage one organization without giving access to all organizations in the realm. When Fine-Grained Admin Permissions is enabled, organization member queries also respect user-level permissions, returning only members the administrator is permitted to view.</p> </div> </div> <div class="sect3"> <h4 id="_automatic_role_inheritance_through_organization_groups">Automatic role inheritance through organization groups</h4> <div class="paragraph"> <p>Assigning roles to individual organization members does not scale well when an organization has hundreds of users who all need the same permissions. Organization groups now support realm and client role assignments, so administrators can assign a role once to the organization group and have it automatically appear in <code>realm_access</code> and <code>resource_access</code> token claims for all group members.</p> </div> <div class="paragraph"> <p>Additionally, the <strong>Organization Group Membership</strong> protocol mapper (OIDC and SAML) can include these roles within the <code>organization</code> claim, organized per organization, by enabling the <strong>Add group role mappings</strong> configuration option.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/docs/26.7.0/server_admin/#_managing_groups_">Managing organization groups</a> guide.</p> </div> </div> <div class="sect3"> <h4 id="_better_passkey_compatibility_with_new_webauthn_policy_options">Better passkey compatibility with new WebAuthn policy options</h4> <div class="paragraph"> <p>Passkeys let users sign in with biometrics or a security key instead of a password. To work correctly, the server must tell the browser whether it prefers a discoverable credential (a passkey stored on the device) or not — and the previous Yes/No option could not express the increasingly common <code>preferred</code> value.</p> </div> <div class="paragraph"> <p>The WebAuthn Policy and WebAuthn Passwordless Policy now provide a <code>Discoverable credential</code> option that follows the current <a href="https://www.w3.org/TR/webauthn/#dom-authenticatorselectioncriteria-residentkey">WebAuthn specification</a>, supporting <code>required</code>, <code>preferred</code>, and <code>discouraged</code> values. This improves compatibility with passkey providers such as iCloud Keychain, Google Password Manager, and 1Password. The previous <code>Require Discoverable Credential</code> option is now deprecated and planned for removal in a future release.</p> </div> </div> <div class="sect3"> <h4 id="_easier_realm_discovery_by_display_name_search">Easier realm discovery by display name search</h4> <div class="paragraph"> <p>Administrators often give realms short technical names (like <code>acme-prod</code>) but set a human-readable display name (like <code>Acme Corporation</code>). Previously, the admin console search only matched against the technical realm name, making it harder to find realms in large multi-tenant deployments.</p> </div> <div class="paragraph"> <p>Realm search now matches against the display name in addition to the realm name, so administrators can find realms by whichever name they remember.</p> </div> </div> <div class="sect3"> <h4 id="_type_safe_validation_for_parameterized_scopes_experimental">Type-safe validation for parameterized scopes (experimental)</h4> <div class="paragraph"> <p>Parameterized scopes allow OAuth clients to request context-specific access — for example, <code>project:12345</code> to request access to a particular project, or <code>account:savings</code> to scope a token to a specific bank account. Previously, the parameter value was validated only by an optional regex, making it easy to pass invalid or unexpected values.</p> </div> <div class="paragraph"> <p>Parameterized scopes can now define a parameter type that validates the captured value at request time. Built-in types include <code>string</code>, <code>integer</code>, <code>boolean</code>, <code>username</code>, and <code>custom</code> (validated against an admin-defined regex). The type is required when creating parameterized scopes with the feature enabled, ensuring that tokens always carry well-formed scope parameters.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/docs/26.7.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect3"> <h4 id="_additional_datasources_may_be_excluded_from_health_checks">Additional datasources may be excluded from health checks</h4> <div class="paragraph"> <p>When using multiple datasources, a failing non-critical datasource can cause the health check endpoint to report the entire deployment as unhealthy. Individual datasources can now be excluded from health checks, so optional or secondary datasources do not trigger unnecessary alerts or affect load balancer routing.</p> </div> <div class="paragraph"> <p>Read more about it in the <a href="https://www.keycloak.org/server/db#multiple-datasources">Configure multiple datasources</a> guide.</p> </div> </div> </div> <div class="sect2"> <h3 id="_configuring_and_running">Configuring and Running</h3> <div class="sect3"> <h4 id="_enhanced_reverse_proxy_guides_with_blueprints_for_haproxy_and_traefik">Enhanced reverse proxy guides with blueprints for HAProxy and Traefik</h4> <div class="paragraph"> <p>Running Keycloak in production requires a reverse proxy, but configuring TLS termination, certificate forwarding, and admin API security correctly across different proxies is error-prone.</p> </div> <div class="paragraph"> <p>The reverse proxy documentation has been significantly expanded with dedicated step-by-step guides for HAProxy and Traefik covering both TLS passthrough and re-encrypt modes, and also explain the concepts so they can be applied for other proxies as well.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/server/reverseproxy">Using a reverse proxy</a> guide.</p> </div> </div> <div class="sect3"> <h4 id="_simplified_multi_cluster_high_availability_without_external_caches_experimental">Simplified multi-cluster high availability without external caches (preview)</h4> <div class="paragraph"> <p>The existing multi-cluster setup for Keycloak requires deploying and managing an external Infinispan cluster for cross-site session replication, along with vendor-specific fencing infrastructure for automated failover. This adds significant operational complexity and limits deployments to specific environments.</p> </div> <div class="paragraph"> <p>Multi-cluster v2 removes the external Infinispan requirement entirely. Keycloak instances connect directly to each other using embedded Infinispan caches and rely on the synchronously replicated database as the single source of truth. Cache invalidation across sites is handled through a database-backed outbox pattern. The load balancer can detect the downtime of a site without requiring external fencing infrastructure.</p> </div> <div class="paragraph"> <p>To enable this setup, start Keycloak with the feature <code>stateless</code>. For architecture details and a deployment blueprint, see the <a href="https://www.keycloak.org/high-availability/multi-cluster-v2/introduction">Multi-cluster deployments (v2)</a> guide.</p> </div> </div> <div class="sect3"> <h4 id="_keycloak_operator_kustomize_installation">Keycloak Operator kustomize installation</h4> <div class="paragraph"> <p>Installing the Keycloak Operator on vanilla Kubernetes clusters previously required downloading and applying individual manifest files, making upgrades and customization harder to manage. The Operator can now be installed using kustomize, providing a declarative and reproducible installation method.</p> </div> <div class="paragraph"> <p>For installation instructions, see the <a href="https://www.keycloak.org/guides#operator">Operator Guide</a>.</p> </div> </div> <div class="sect3"> <h4 id="_cluster_wide_install_mode_for_the_keycloak_operator_preview">Cluster-wide install mode for the Keycloak Operator (preview)</h4> <div class="paragraph"> <p>Organizations running multiple Keycloak instances across different Kubernetes namespaces previously needed to install a separate Operator in each namespace. The Keycloak Operator now exposes <code>AllNamespaces</code> as a supported OLM install mode, allowing a single Operator instance to reconcile <code>Keycloak</code> custom resources across all namespaces in the cluster. For non-OLM installations, cluster-wide deployment is available through the <code>cluster-wide</code> kustomization overlay.</p> </div> <div class="paragraph"> <p>Cluster-wide installation is in preview. For installation instructions and limitations, see the <a href="https://www.keycloak.org/guides#operator">Operator Guide</a>.</p> </div> </div> </div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Security fixes</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/49427">#&#8203;49427</a> [CVE-2026-9796] Admin role rename TOCTOU bypasses checkAdminRoles — realm-wide escalation from manage-clients <code>admin/rbac</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49430">#&#8203;49430</a> [CVE-2026-9689] HTTP Parameter Pollution in OIDC redirect URI allows response parameter duplication <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49432">#&#8203;49432</a> [CVE-2026-9798] CIBA authentication flow bypasses brute-force account lockout <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49766">#&#8203;49766</a> [CVE-2026-11986] FGAP v1 allows unassigning any role <code>admin/fine-grained-permissions</code></li> </ul> <h3>Weaknesses</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/48717">#&#8203;48717</a> SAML Identity Provider settings in the Admin UI are not asking for signatures by default <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49137">#&#8203;49137</a> Welcome page admin bootstrap bypasses local-only check when behind a same-host proxy without forwarding headers <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49215">#&#8203;49215</a> JWT Authorization Grant: namespace jti cache keys and reorder signature verification <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49312">#&#8203;49312</a> Organization group members endpoint does not check Users permission <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49605">#&#8203;49605</a> Member's organizations endpoint missing per-org FGAP filtering <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49660">#&#8203;49660</a> OID4VCI: Missing disabled-client check in PreAuthorizedCodeGrantType <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49838">#&#8203;49838</a> SD-JWT: Array index shifting in SdJwtVerificationContext leaves undisclosed placeholders in verified payload <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49920">#&#8203;49920</a> WebAuthn: sign counter updated to stored+1 instead of assertion value <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49921">#&#8203;49921</a> WebAuthn: challenge not consumed after assertion validation <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49922">#&#8203;49922</a> FreeMarker: deprecated no-arg Configuration constructor pins engine to legacy 2.3.0 defaults <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49961">#&#8203;49961</a> Themes: FolderTheme.getTemplate() missing path-containment check <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50074">#&#8203;50074</a> SSF admin endpoint: missing client-level authorization check exposes push delivery secret <code>ssf</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50316">#&#8203;50316</a> Use constant-time comparison when validating OTP codes <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50460">#&#8203;50460</a> SSF push URL allow-list bypass via authority-attached wildcard <code>ssf</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50464">#&#8203;50464</a> SAML Step-Up: Over-achieved LoA collapses AuthnContextClassRef to AC_UNSPECIFIED on SSO re-entry <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50466">#&#8203;50466</a> SAML Step-Up: Three robustness issues in LoA mapping and classRef selection <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50481">#&#8203;50481</a> Cacheless: JpaSingleUseObjectProvider.putIfAbsent() missing lifespan validation present in put() </li> <li><a href="https://github.com/keycloak/keycloak/issues/50482">#&#8203;50482</a> Cacheless: Root authentication session lookup uses assert-only realm check — no-op in production </li> <li><a href="https://github.com/keycloak/keycloak/issues/50483">#&#8203;50483</a> Cacheless: LoginFailureExpirationAction compares milliseconds vs seconds — rows never reaped </li> <li><a href="https://github.com/keycloak/keycloak/issues/50488">#&#8203;50488</a> HAProxy guide: Missing unconditional del-header for Client-Cert before conditional set-header </li> <li><a href="https://github.com/keycloak/keycloak/issues/50491">#&#8203;50491</a> Client API v2: Operator secretRef resolves arbitrary Secrets without ownership validation <code>admin/api-v2</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50494">#&#8203;50494</a> Client API v2: Operator prefers HTTP over HTTPS when both are enabled <code>admin/api-v2</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50534">#&#8203;50534</a> Identity Broker v2: Internal exception message reflected in /token error response <code>oidc</code></li> </ul> <h3>Removed features</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/44013">#&#8203;44013</a> Deprecate the Twitter IDP implementation due to old twitter4j library <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48104">#&#8203;48104</a> Remove support for token-exchange-external-internal:v2 <code>token-exchange/federated</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49270">#&#8203;49270</a> Remove the batching option for the persistent sessions </li> </ul> <h3>New features</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/9686">#&#8203;9686</a> Store the Dynamic Scope parameter to avoid showing the Consent Screen every time there's an authentication </li> <li><a href="https://github.com/keycloak/keycloak/issues/20128">#&#8203;20128</a> Add support for `reencrypt` OpenShift Routes to the Operator <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/22042">#&#8203;22042</a> More flexible imports in custom theme (i.e. CSS media queries) <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/35650">#&#8203;35650</a> Compatibility profiles </li> <li><a href="https://github.com/keycloak/keycloak/issues/44317">#&#8203;44317</a> [OID4VCI] Add a client policy to require a credential offer </li> <li><a href="https://github.com/keycloak/keycloak/issues/46543">#&#8203;46543</a> Step-up authentication for SAML - supported <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48623">#&#8203;48623</a> Make the admin client, from the admin-ui more easy to use </li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/9915">#&#8203;9915</a> Make the consent screen text for dynamic scopes customizable with a reference to the dynamic scope parameter </li> <li><a href="https://github.com/keycloak/keycloak/issues/10696">#&#8203;10696</a> Improve WebAuthn tests documentation <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/12223">#&#8203;12223</a> Dynamic scopes: requested scopes get mixed up between token requests <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/17758">#&#8203;17758</a> [UX Review] Optimize the number box in the Time-policy creation page of client Authorization <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/17762">#&#8203;17762</a> [UX Review] Optimize the initial page of Keys in OIDC client <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/17770">#&#8203;17770</a> Remove unnecessary conditions from code <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/17771">#&#8203;17771</a> Caught errors should have the correct type associated with them <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/22229">#&#8203;22229</a> UI should prevent admins from defining a dynamic client scope with type Default <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24436">#&#8203;24436</a> Account API - "/applications/{clientId}/consent" : Provide option to get enhanced ConsentScopeRepresentation <code>account/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24823">#&#8203;24823</a> Adding client_id as prefix in client roles mapper <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26602">#&#8203;26602</a> Allow user search by direct lookup via username and email </li> <li><a href="https://github.com/keycloak/keycloak/issues/26699">#&#8203;26699</a> Nested group members from Active Directory are not showing in Keycloak groups <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29558">#&#8203;29558</a> Best practices for detecting support for Passkeys - support for isUserVerifyingPlatformAuthenticatorAvailable() <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30328">#&#8203;30328</a> Add ability to inspect generated SAML response for SAML Clients with client scope mappings <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31641">#&#8203;31641</a> Implement organization-specific admin roles with limited permissions <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32527">#&#8203;32527</a> Provide default krb5.conf in Docker image or extend migration docs <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/34104">#&#8203;34104</a> Improve robustness of backchannel logout with client sessions </li> <li><a href="https://github.com/keycloak/keycloak/issues/38632">#&#8203;38632</a> README.md Other Keycloak Projects </li> <li><a href="https://github.com/keycloak/keycloak/issues/40026">#&#8203;40026</a> Support subdomain matching for Organizations in IdP redirect logic </li> <li><a href="https://github.com/keycloak/keycloak/issues/41164">#&#8203;41164</a> Redirection Endpoint should be validated not to include a hash in the URL <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42513">#&#8203;42513</a> Set residentKey instead of requireResidentKey in Webauthn creation request <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42883">#&#8203;42883</a> FIX multiple LDAP failover & document the possibility of having multiple LDAP URLs in LDAP provider </li> <li><a href="https://github.com/keycloak/keycloak/issues/43955">#&#8203;43955</a> Cluster-wide Operator MVP </li> <li><a href="https://github.com/keycloak/keycloak/issues/45104">#&#8203;45104</a> Add native "Remember Me" support to WebAuthn/Passkey Authentication Flows <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/45292">#&#8203;45292</a> Search realms by "Display name" in the "Manage realms" view <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/45295">#&#8203;45295</a> Improve client authentication flows <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/45497">#&#8203;45497</a> Introduce granular roles for Organization management (manage-organizations, view-organizations) <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/45866">#&#8203;45866</a> Customize SAML service provider metadata </li> <li><a href="https://github.com/keycloak/keycloak/issues/45900">#&#8203;45900</a> Support multiple organization scopes in OIDC token requests <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46435">#&#8203;46435</a> Good database instructions for a production ready Keycloak setup </li> <li><a href="https://github.com/keycloak/keycloak/issues/46740">#&#8203;46740</a> Prevent ASCII control characters in query parameters </li> <li><a href="https://github.com/keycloak/keycloak/issues/46903">#&#8203;46903</a> A User belonging to multiple organization should be allowed to change his organization choice during login <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46959">#&#8203;46959</a> Enhance WebAuthn Conditional UI to auto-trigger passkey modal on page load <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46981">#&#8203;46981</a> Support experimental cluster-wide operator installation by using kubectl <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47174">#&#8203;47174</a> MySQL/TiDB: Configure DB socket timeouts on the fly during connection creation phase <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47284">#&#8203;47284</a> Introduce ORGANIZATIONS resource type in Fine-Grained Admin Permissions <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47314">#&#8203;47314</a> Token Exchange with sender constrained tokens missing cnf claim <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47327">#&#8203;47327</a> Support mapping existing Realm and Client roles to Organization Groups <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47330">#&#8203;47330</a> Document provided ProtocolMapper implementations <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47356">#&#8203;47356</a> Enhancement: Improve the performance of loading large password blacklists </li> <li><a href="https://github.com/keycloak/keycloak/issues/47383">#&#8203;47383</a> Add example for health check when using HTTPS </li> <li><a href="https://github.com/keycloak/keycloak/issues/47431">#&#8203;47431</a> Organization feature will only show linked IDPs if the user has already one linked <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47542">#&#8203;47542</a> Use client-side Streaming for admin api v2 in the Java client </li> <li><a href="https://github.com/keycloak/keycloak/issues/47762">#&#8203;47762</a> Enhance quick-theme .jar generation. <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47851">#&#8203;47851</a> OrganizationGroupMembershipMapper should support configurable token claim name <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47951">#&#8203;47951</a> Add Vietnamese (vi) as a translation <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47960">#&#8203;47960</a> Add CLI options for mTLS database connections </li> <li><a href="https://github.com/keycloak/keycloak/issues/47963">#&#8203;47963</a> Update tested configurations for single- and multi-cluster to the recent OpenShift version </li> <li><a href="https://github.com/keycloak/keycloak/issues/48053">#&#8203;48053</a> Allow db-connect-timeout to be used for all datasources <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48059">#&#8203;48059</a> Safeguard against wrong PID in containers <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48088">#&#8203;48088</a> When a group is granted a role, it should not read all existing role mappings from the database <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48098">#&#8203;48098</a> Expose hidden management options </li> <li><a href="https://github.com/keycloak/keycloak/issues/48338">#&#8203;48338</a> Add details to AdminEvent in UserResource.removeCredential <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48393">#&#8203;48393</a> [CIMD] Document the existing query-string defense on the MCP Authorization Server docs page </li> <li><a href="https://github.com/keycloak/keycloak/issues/48420">#&#8203;48420</a> Upgrade `webauthn4j` to 0.30.3 <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48445">#&#8203;48445</a> Enable passkeys configuration does not follow best UX <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48539">#&#8203;48539</a> Update WebAuthn Metadata service data <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48540">#&#8203;48540</a> Support icons for Passkeys credentials <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48557">#&#8203;48557</a> Show Groups tab in the account console when user is part of any group <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48588">#&#8203;48588</a> Fine Grained Authorization v2 : does not work PUT https://i<keycloak>/admin/realms/<realm>/admin-permissions/groups/<group-id> <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48730">#&#8203;48730</a> DB documentation doesn't state on how to check the transaction isolation for MSSQL </li> <li><a href="https://github.com/keycloak/keycloak/issues/48755">#&#8203;48755</a> User deletion latency grows with Infinispan session-cache fill level / size <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48863">#&#8203;48863</a> Include kid in details of CLIENT_LOGIN event of Signed JWT Client Authentication </li> <li><a href="https://github.com/keycloak/keycloak/issues/48892">#&#8203;48892</a> SSF: Track if stream was created by Keycloak or ssfReceiver <code>ssf</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48893">#&#8203;48893</a> SSF: Remove "audience" field from create stream form <code>ssf</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48962">#&#8203;48962</a> Add suggestions when features are incorrectly specified <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49037">#&#8203;49037</a> Expose multi-namespace install modes </li> <li><a href="https://github.com/keycloak/keycloak/issues/49040">#&#8203;49040</a> Make `AbstractJWTClientValidator` / `FederatedJWTClientValidator` methods `protected` for extensibility </li> <li><a href="https://github.com/keycloak/keycloak/issues/49177">#&#8203;49177</a> Remove explicit --shutdown-timeouts configuration from proxy example configurations </li> <li><a href="https://github.com/keycloak/keycloak/issues/49235">#&#8203;49235</a> SSF: Move Push timeout settings to SSF Receiver tab <code>ssf</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49248">#&#8203;49248</a> Consider additional datasources in health checks </li> <li><a href="https://github.com/keycloak/keycloak/issues/49348">#&#8203;49348</a> Ensure proper management of thread-bound resources. </li> <li><a href="https://github.com/keycloak/keycloak/issues/49372">#&#8203;49372</a> Unify buttons in horizontal layout for Login UI <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49378">#&#8203;49378</a> Login page title should use full width when locale selector is hidden <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49424">#&#8203;49424</a> Include subject to email template attributes </li> <li><a href="https://github.com/keycloak/keycloak/issues/49453">#&#8203;49453</a> Persistent sessions should be written as part of the original main transaction where possible <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49469">#&#8203;49469</a> Stateless mode: store volatile session data in the database </li> <li><a href="https://github.com/keycloak/keycloak/issues/49491">#&#8203;49491</a> Full user representation when querying organization members <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49573">#&#8203;49573</a> Attribute for clients scopes to always require consent <code>token-exchange/subject-impersonation</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49608">#&#8203;49608</a> Correct themes README </li> <li><a href="https://github.com/keycloak/keycloak/issues/49645">#&#8203;49645</a> Organization member read endpoints should document parent-gated org-level authorization contract <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49711">#&#8203;49711</a> [Login UI] Improve credential selector layout <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49757">#&#8203;49757</a> Reverse proxy docs: should not proxy master realm <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49873">#&#8203;49873</a> How to thread dump with and without virtual threads <code>observability</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49947">#&#8203;49947</a> Add OIDF conformance tests to CI <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49988">#&#8203;49988</a> Docs should describe on how to detect if a graceful shutdown was successful <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50050">#&#8203;50050</a> SSF: Handle disabled SSF Receiver client <code>ssf</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50087">#&#8203;50087</a> Generate queryable fields documentation from code <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50134">#&#8203;50134</a> Refresh client data after invalidating rotated secret in Credentials tab </li> <li><a href="https://github.com/keycloak/keycloak/issues/50261">#&#8203;50261</a> MCP Documentation for 26.7 </li> <li><a href="https://github.com/keycloak/keycloak/issues/50327">#&#8203;50327</a> Improve OAuth Identity and Authorization Chaining Across Domains guide </li> <li><a href="https://github.com/keycloak/keycloak/issues/50369">#&#8203;50369</a> Composite-role expansion does an N+1 of `getChildRoles` queries (each with an auto-flush) that dominates Keycloak CPU on the cache-miss path <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50467">#&#8203;50467</a> Prevent DoS when using complex filter conditions <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50476">#&#8203;50476</a> Retarget quarkus-next to Quarkus 3.x branch after main switched to 4.0 </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/12142">#&#8203;12142</a> IdP backchannel logout does not work with session id in logout <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/20649">#&#8203;20649</a> "Not username" and "Not email" options when creating/changing a password, should ignore letter case when comparing password to email or to username <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27431">#&#8203;27431</a> New clients have a JavaScript default policy configured which causes problems on export/import <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32124">#&#8203;32124</a> Backchannel logout notification client for Update_Password AIA is not having all the session ids <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33204">#&#8203;33204</a> Identity Providers are missing from the login page if I request a reset password for an existing user <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/35104">#&#8203;35104</a> Timestamp overflow in client secret rotation feature leads to next refresh time being set to the past <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/37355">#&#8203;37355</a> Web Crypto API not available in `login-status-iframe.html` when using admin console from insecure context <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/38124">#&#8203;38124</a> High values for client secret expiration result in expiration dates in the past <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40603">#&#8203;40603</a> Account UI reports "Something went wrong" if user doesn't have permissions to view applications <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/44591">#&#8203;44591</a> Terms and Conditions Accepted Timestamp <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/44620">#&#8203;44620</a> Possible data loss when scaling Keycloak StatefulSet down (on Kubernetes) <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/44741">#&#8203;44741</a> Device activity does not recognize iOS 26 correct <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/45420">#&#8203;45420</a> [OID4VCI] Wrong typ value for SD-JWT VC <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/45494">#&#8203;45494</a> ScrollForm navigation does not update active section on click or scroll <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/45568">#&#8203;45568</a> Pending auth flow waiting for email verification succeeds even after password reset - providing room for pre-account takeover attacks <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/45716">#&#8203;45716</a> Problem with Standard Token Exchange with Dynamic Scopes feature enabled (Wrong default scopes) <code>token-exchange</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46083">#&#8203;46083</a> "Full scope allowed" toggle reverts to previous state when switching between Scope and Mappers tabs in Dedicated scopes <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46088">#&#8203;46088</a> Newly created resource appears on both current and next page in Authorization Resources tab <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46132">#&#8203;46132</a> profile scope causes NumberFormatException <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46172">#&#8203;46172</a> Issues when deleting several realms at the same time <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46463">#&#8203;46463</a> Input field for device user code is badly formatted <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46634">#&#8203;46634</a> Brute force detection counter does not work properly <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46742">#&#8203;46742</a> Keycloak makes network requests to addresses in login certificates before verifying them <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46926">#&#8203;46926</a> PAR endpoint enforces “Request Object Required” and expects request_uri <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46954">#&#8203;46954</a> ClearExpiredEvents job crashes app and locks DB when EVENT_ENTITY Table has large amount of records <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/46978">#&#8203;46978</a> Document / validate .conf extension is required for --config-file option <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47017">#&#8203;47017</a> Remember me does not work when organization scope is enabled on login session. <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47046">#&#8203;47046</a> [OID4VCI] Credential definition type should include VerifiableCredential <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47061">#&#8203;47061</a> Duplicated flows can have illegal characters in step name <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47202">#&#8203;47202</a> DefaultLocaleUpdaterProvider: KEYCLOAK_LOCALE cookie not set for READ_ONLY federated users <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47274">#&#8203;47274</a> [OID4VCI] Option 'Pre-Authorized code lifespan' should be renamed <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47294">#&#8203;47294</a> Use SecureRandom instead of Random for D-Bus cookie generation in SSSD federation <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47341">#&#8203;47341</a> Updating client scope fails if it was saved while the dynamic scopes feature was active in the past <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47386">#&#8203;47386</a> [OID4VCI] TokenResponse requires credential_identifiers in authorization_details </li> <li><a href="https://github.com/keycloak/keycloak/issues/47421">#&#8203;47421</a> Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionAtSameNode <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47432">#&#8203;47432</a> The cancel button in the custom UiTabProvider encounters an issue where it redirects to an incorrect URL and triggers an error. <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47477">#&#8203;47477</a> Flaky test: org.keycloak.testsuite.forms.AuthenticatorSubflowsTest2#testSubflow2 <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47499">#&#8203;47499</a> Maven windows wrapper trips over whitespace in pathname for setup <code>dependencies</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47500">#&#8203;47500</a> Build Quarkus snapshots in quarkus-next workflow <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47513">#&#8203;47513</a> Review JwtProofValidator <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47523">#&#8203;47523</a> The name "master" seems to be hard-coded in places and thus breaks KC_SPI_ADMIN_REALM <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47545">#&#8203;47545</a> Keycloak ships source maps for Admin UI and Account UI <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47560">#&#8203;47560</a> Missing default value for max parameter in the Admin REST APIs docs <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47659">#&#8203;47659</a> SRCFG01008 warning in source Quarkus dev mode when kc.log-console-output=default (not reproducible via packaged kc.sh) <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47681">#&#8203;47681</a> Log Injection and Audit Forgery in OIDC Authorization Endpoint (client_id parameter) <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47700">#&#8203;47700</a> Duplicate entries created in Role Attributes during concurrent setSingleAttribute calls <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47710">#&#8203;47710</a> updated popover when there is no change <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47733">#&#8203;47733</a> Able to update Identity Provider alias via admin console and API <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47750">#&#8203;47750</a> cache-embedded-mtls-enabled maps to a build time property, but is a runtime option <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47832">#&#8203;47832</a> Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceClientSessionsMultipleNodes <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47833">#&#8203;47833</a> Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testUserRemoved <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47834">#&#8203;47834</a> Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testExpirationDistribution <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47835">#&#8203;47835</a> Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderOfflineModelTest#testOfflineSessionLazyLoadingPropagationBetweenNodes <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47898">#&#8203;47898</a> [OID4VCI] Default client scopes not configured correctly </li> <li><a href="https://github.com/keycloak/keycloak/issues/47914">#&#8203;47914</a> Declarative UI: Avoid silent failure to add path params <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47923">#&#8203;47923</a> account-console client can be deleted despite being a built-in internal client <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47925">#&#8203;47925</a> Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47958">#&#8203;47958</a> Admin UI Test is logging to the console <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47966">#&#8203;47966</a> Client admin v2 API: service account role management fails for client roles <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47967">#&#8203;47967</a> Generated openapi.yaml drifts on incremental builds <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47970">#&#8203;47970</a> JDBC_PING2 will stall when in a two-node-split-brain one node dies <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47978">#&#8203;47978</a> Flaky test: org.keycloak.testsuite.model.session.UserSessionInitializerTest#testUserSessionPropagationBetweenSites <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47979">#&#8203;47979</a> Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderOfflineModelTest#testOfflineSessionLazyLoading <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47990">#&#8203;47990</a> Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47993">#&#8203;47993</a> Docs: directory of keycloak-database-update.sql file <code>import-export</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48014">#&#8203;48014</a> [OID4VCI] credential_offer_uri can only be consumed once </li> <li><a href="https://github.com/keycloak/keycloak/issues/48024">#&#8203;48024</a> Relax Client ID validation for the Signed JWT - Federated (Kubernetes Service Accounts) <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48035">#&#8203;48035</a> [OID4VCI] Self-Signed x5c Bypasses Key Attestation Validation <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48044">#&#8203;48044</a> OID4VC QR Code Unbounded Dimensions DoS <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48084">#&#8203;48084</a> Admin console localizate realm name <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48119">#&#8203;48119</a> Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#loginWithExistingUserWithBruteForceEnabled <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48120">#&#8203;48120</a> Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderModelTest#testCreateUserSessionsParallel <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48121">#&#8203;48121</a> Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderModelTest#testStreamsMarshalling <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48129">#&#8203;48129</a> Stabilize Operator CI in quarkus-next <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48137">#&#8203;48137</a> Unhandled NullPointerException on Keycloak Server via GET parameter "key" with unsigned JWT <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48173">#&#8203;48173</a> Maven cache is never extracted on Azure/Aurora VMs <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48206">#&#8203;48206</a> Registration with email verification - corner case scenario for pre-account takeover <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48230">#&#8203;48230</a> Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionsAtRandomNode <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48284">#&#8203;48284</a> UiPageProvider components not refreshed on page change <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48357">#&#8203;48357</a> Restore Quarkus snapshot cache in unit-test-setup for quarkus-next <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48366">#&#8203;48366</a> OpenAPI spec key reordering on incremental builds <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48392">#&#8203;48392</a> Migration fails for organization admin roles with LazyInitializationException <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48412">#&#8203;48412</a> Add option to specify the CA Subject DN in the Client X.509 Authenticator <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48428">#&#8203;48428</a> Keycloak issues tokens via implicit and hybrid flow when DPoP is enforced for the client <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48441">#&#8203;48441</a> Flaky test: org.keycloak.testsuite.model.singleUseObject.SingleUseObjectModelTest#testCluster <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48442">#&#8203;48442</a> Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48443">#&#8203;48443</a> Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testAuthSessions <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48446">#&#8203;48446</a> Flaky test: org.keycloak.testsuite.authz.PolicyEvaluationTest# <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48456">#&#8203;48456</a> Account Console v3: Cannot revoke consent for clients with URL-based or special character clientIds (Regression of #&#8203;19515) <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48458">#&#8203;48458</a> Read-only multivalued user profile attributes are not grayed out in the account console <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48459">#&#8203;48459</a> Role update failes when no name is set <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48487">#&#8203;48487</a> Improper Authentication for required actions allows front-channel token issuance for disabled user in implicit/hybrid flow <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48514">#&#8203;48514</a> Permission issue prevents user with manage-identity-provider role to access "realm roles" list when adding hardcoded role mapper <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48559">#&#8203;48559</a> [quarkus-next] Model tests fail due to ByteBuddy removal from Hibernate runtime classpath <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48561">#&#8203;48561</a> Quarkus UT (windows-latest) cancelled when ubuntu variant fails <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48566">#&#8203;48566</a> Admin console assets 404 in 26.6.x: quay.io/keycloak/keycloak:26.6 ships /opt/keycloak/data/tmp as root:root 0755, blocking gzip cache creation <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48589">#&#8203;48589</a> Test framework startup timeout is ignored in DockerKeycloakDistribution <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48592">#&#8203;48592</a> Keycloak does an LDAP query with service account UUID when a token from a service account is used for obtaining a Requesting Party Token from a client with Authorization services <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48593">#&#8203;48593</a> Management endpoint doesn't pick up HTTPS truststore <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48594">#&#8203;48594</a> [quarkus-next] Aurora CI fails with missing quarkus-bom:999-SNAPSHOT on remote EC2 VM <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48598">#&#8203;48598</a> HttpDistTest.maxQueuedRequestsTest fails on runners with limited vCPUs <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48610">#&#8203;48610</a> Neither `INVITE_ORG` nor `REGISTER` event is triggered when a new user is invited to an organization <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48611">#&#8203;48611</a> Docs: server_admin/topics/overview/how.adoc SAML 2.0 link is broken <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48634">#&#8203;48634</a> Verify Email gets added to all the users in the realm and blocks getting a REST Token <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48645">#&#8203;48645</a> `ORGANIZATION_MEMBERSHIP` event with `ACTION` operation is missing `representation` and `detail` fields <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48647">#&#8203;48647</a> Flaky test: org.keycloak.testsuite.forms.RPInitiatedFrontChannelLogoutTest#testFrontChannelLogoutWithoutSessionRequired <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48654">#&#8203;48654</a> OrganizationProvider.count() used for existence checks causes severe database lag with large realms <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48666">#&#8203;48666</a> User Storage Task sync event can lead to deadlocks and outdated information <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48680">#&#8203;48680</a> Realm display name localization placeholder is not expanded when resolving OTP issuer name <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48721">#&#8203;48721</a> Introspect endpoint returns "invalid_request" instead of "invalid_client" on client authentication failure (RFC 7662) <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48749">#&#8203;48749</a> Prevent setting different than default decisionStrategy for FGAP <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48771">#&#8203;48771</a> Identity Provider detail settings allow saving without changes <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48812">#&#8203;48812</a> AutoUpdate force recreate <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48834">#&#8203;48834</a> NPE in `OrganizationGroupMembershipMapper` when no `organization` scope is requested <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48862">#&#8203;48862</a> Flaky test: org.keycloak.testsuite.broker.OidcAdvancedClaimToGroupMapperTest#mapperStillWorksWhenTopLevelGroupIsConvertedToSubGroup <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48868">#&#8203;48868</a> OIDC bearer-only legacy clients lose client secret after updating basic attributes (name/description) on Keycloak 23 <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48882">#&#8203;48882</a> Save button on "Create organization" page is not enabled when name is pasted from clipboard <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48903">#&#8203;48903</a> Regression: forced organization validation in 26.6 even without taking Organizations feature into use <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48917">#&#8203;48917</a> Missing locale keys in Organization Membership protocol mapper <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48920">#&#8203;48920</a> Test framework startup timeout is hardcoded to 5 minutes <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48949">#&#8203;48949</a> JS CI is failing in the Admin UI lint check <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49026">#&#8203;49026</a> Admin UI: Enter key does not trigger search in Organization Members, Invitations, and User Organizations <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49057">#&#8203;49057</a> Migration-strategy=manual bypasses DBA workflow for custom providers (re-opening #&#8203;36525) <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49063">#&#8203;49063</a> Authorization Evaluate results page hides the last resource behind the action bar <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49069">#&#8203;49069</a> Missing and incorrect permission checks on organization invitation endpoints <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49083">#&#8203;49083</a> Error while removing expired entries from database <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49139">#&#8203;49139</a> Starting FIPS mode in 26.6.1 fails with NoSuchAlgorithmException <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49146">#&#8203;49146</a> Quick theme login style broken <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49176">#&#8203;49176</a> SCIM: Incorrect location URL <code>scim</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49180">#&#8203;49180</a> Unable to easily provide full certificate chain with HaProxySslClientCertificateLookup <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49185">#&#8203;49185</a> HttpResponse.setStatus is not generally usable </li> <li><a href="https://github.com/keycloak/keycloak/issues/49189">#&#8203;49189</a> LDAP: objectGUID binary attribute not converting to Base64/String in version 26.6.1 and 26.6.2 <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49192">#&#8203;49192</a> Compilation error because of setSystemPropertyOnServer <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49249">#&#8203;49249</a> Deprecate KeycloakContext.getRequestHeaders </li> <li><a href="https://github.com/keycloak/keycloak/issues/49250">#&#8203;49250</a> SSF: auto-notify-on-login fails with ReadOnlyException for users from a read-only LDAP federation <code>ssf</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49255">#&#8203;49255</a> PAR authorization request with prompt=create does not open registration page <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49256">#&#8203;49256</a> Oracle database ignores db-url-properties <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49257">#&#8203;49257</a> Identity provider broker callback returns HTTP 502 for client-side input validation failures (missing state, missing code) <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49267">#&#8203;49267</a> JPA exception mapper swallows some intermediate exceptions <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49272">#&#8203;49272</a> ReadOnlyAttributeUnchangedValidator.isUnchanged() does not handle omitted read-only attributes <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49310">#&#8203;49310</a> Backoff retry does not honor the timeout <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49342">#&#8203;49342</a> Client secret rotation feature. Client Secret and Secret Rotated are always the same <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49388">#&#8203;49388</a> Dynamic scopes do not work with CIBA <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49441">#&#8203;49441</a> mutual-tls guide references wrong option <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49451">#&#8203;49451</a> UI allows invalid role-ldap-mapper configuration when "Use Realm Roles Mapping" is enabled together with Client ID selection. <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49452">#&#8203;49452</a> Admin UI: Workflows menu link visible to users without sufficient permissions to use it <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49456">#&#8203;49456</a> [CIMD] secure-redirect-uris-enforcer is not enforced for CIMD public clients during authorization requests <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49457">#&#8203;49457</a> [CIMD] Client policy executor auto-configuration is not applied when a public client is created through CIMD <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49481">#&#8203;49481</a> admin-client: TokenResponse.expiresIn typed as string but Keycloak returns a number <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49490">#&#8203;49490</a> [SAST] Dead local stores (Batch 2) <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49495">#&#8203;49495</a> [SAST] Unchecked negative value in `readInteger()` <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49517">#&#8203;49517</a> French translation for credentials related events are incorrect <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49550">#&#8203;49550</a> MySQL migration fail due to group replication enforcing PK for `CREATE TABLE ... AS SELECT` <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49571">#&#8203;49571</a> FilterUtils.unescapeJsonString() incorrectly decodes escaped backslash sequences <code>scim</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49575">#&#8203;49575</a> [OID4VCI] Account console "Issue to Wallet" does not work when scope-name different than credential-config-id <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49577">#&#8203;49577</a> Azure/Aurora "Upload flaky tests" fails with 409 Conflict on duplicate artifact name <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49612">#&#8203;49612</a> keycloak-admin-client logs errors to the console in fetchWithError <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49644">#&#8203;49644</a> ExportImportTest is unstable in the windows tests <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49674">#&#8203;49674</a> Deleting admin-permissions client via v1 Admin API returns unknown_error instead of descriptive validation error <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49702">#&#8203;49702</a> UserSelect component limits the search results during autocompletion lookup <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49718">#&#8203;49718</a> FreeMarkerLoginFormsProvider: handleThemeResources called twice per request due to getMessage() in createCommonAttributes <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49720">#&#8203;49720</a> Organization managed users should not be allowed to link other idps from the account console <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49723">#&#8203;49723</a> FIPS tests are broken in CI <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49730">#&#8203;49730</a> `--features=cimd` should add `none` to token_endpoint_auth_methods_supported <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49732">#&#8203;49732</a> 26.6.2 upgrade: `Cannot invoke "org.keycloak.authorization.model.Resource.getScopes()" because "resourceTypeResource" is null` <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49742">#&#8203;49742</a> Simplified/ Traditional Chinese is displayed twice in locale selector <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49762">#&#8203;49762</a> NPE in MgmtPermissions.isRealmAdmin() when using AdminPermissions.evaluator() with FGAP V2 enabled <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49793">#&#8203;49793</a> OIDC: Client secret generation should ensure sufficient entropy for all configured HMAC signature algorithms <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49830">#&#8203;49830</a> 26.6.x upgrade runs unbounded OFFLINE_CLIENT_SESSION REALM_ID backfill, blocking startup on large data sets <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49841">#&#8203;49841</a> SCIM: ServiceProviderConfig endpoint returns filter.maxResults: 0 instead of 100 </li> <li><a href="https://github.com/keycloak/keycloak/issues/49847">#&#8203;49847</a> SCIM endpoint returns 500 instead of 404 for unknown resource types <code>scim</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49869">#&#8203;49869</a> Fix KcAdmV2EditCLITest.testEditNonExistentResource assertion when client is not found <code>admin/cli</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49908">#&#8203;49908</a> Admin Console sessions page fails with unknown_error when federated user is deleted while an active session still exists <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49909">#&#8203;49909</a> Invalid token at openid connection client registration results in 500 instead of 401 <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49952">#&#8203;49952</a> TokenManager.isValidScope overload ignores provided AuthorizationRequestContext (incomplete #&#8203;49388 refactor) <code>token-exchange</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49960">#&#8203;49960</a> Brute-force detection: Authenticated session token refresh resets lockout counter <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49969">#&#8203;49969</a> UserInfoEndpoint throws NullPointerException (HTTP 500) for JWTs with null or missing alg header <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49972">#&#8203;49972</a> SSF Stream empty state shows extra text and refresh button <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49973">#&#8203;49973</a> SCIM endpoint returns 500 instead of 401 for unauthenticated requests <code>scim</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49978">#&#8203;49978</a> Kubernetes identity provider does not use documented default issuer </li> <li><a href="https://github.com/keycloak/keycloak/issues/50014">#&#8203;50014</a> Binding authentication flow leads to "flow.undefined" showing in admin ui <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50039">#&#8203;50039</a> Creating a client with empty `redirectUris` or `webOrigins` causes ORA-01400 (NULL insert) on Oracle database <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50054">#&#8203;50054</a> Warning of deprecated feature enabled <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50063">#&#8203;50063</a> Unable to invite user to organization when their email is a substring of an already-invited email <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50092">#&#8203;50092</a> Events search type filters don't filter while typing <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50128">#&#8203;50128</a> kcw: line 109: cd: /home/myuser/Downloads: No such file or directory </li> <li><a href="https://github.com/keycloak/keycloak/issues/50136">#&#8203;50136</a> StackOverflowError when trying to reset Password of OrganizationUser with FGAP <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50139">#&#8203;50139</a> Client Secret Rotation docs incorrectly mark feature as experimental instead of preview <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50175">#&#8203;50175</a> `KcAdmV2ClientCLITest#testListClientsWithFieldsProjection` is failing as query param cannot be exploded anymore <code>admin/cli</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50177">#&#8203;50177</a> SAML client creation fails with "Error creating X509v1Certificate" when Client ID contains URL query string characters <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50191">#&#8203;50191</a> Admin UI dynamic Group provider config crashes without GroupsResourceContext in 26.6.3 <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50195">#&#8203;50195</a> Admin UI E2E realm-settings/general.spec.ts "realm enable/disable switch" failure <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50201">#&#8203;50201</a> LDAP user federation re-binds the service account on every operation since 26.6.0 (connection pool not reused) <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50268">#&#8203;50268</a> `TokenManager#invokeTokenPostProcessors` doesn't respect `ProviderFactory#order` <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50286">#&#8203;50286</a> ConcurrentModificationException reading client-registration policy config under parallel client registration <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50291">#&#8203;50291</a> PathMatcher.buildUriFromTemplate throws StringIndexOutOfBoundsException for a template with an unclosed brace <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50300">#&#8203;50300</a> TimeSelector clears input and switches units when value is 0 in Admin Console <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50308">#&#8203;50308</a> NumberFormatException for PAR request URI lifespan <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50353">#&#8203;50353</a> Broken reference in rolling updates guide <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50380">#&#8203;50380</a> Workflow state removeAll() deletes records across all realms on realm removal <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50439">#&#8203;50439</a> Base2 testsuite (new) often fails with timeout <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50484">#&#8203;50484</a> [quarkus-next] Config interceptors create SmallRyeConfig during test bootstrap causing ServiceConfigurationError <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50500">#&#8203;50500</a> User Attribute mapper clears the value when custom attribute is selected <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50515">#&#8203;50515</a> Kotlin jars are included unnecessarily in the server assembly <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50582">#&#8203;50582</a> Keycloak 26.x Operator Fails to import a realm if the maxSecondaryAuthFailures field is present </li> <li><a href="https://github.com/keycloak/keycloak/issues/50633">#&#8203;50633</a> web-crypto-shim does not work after upgrade to uuid 14 <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/50712">#&#8203;50712</a> Source and javadoc jars not generated <code>core</code></li> </ul> </div> ### [`v26.6.4`](https://github.com/keycloak/keycloak/releases/tag/26.6.4) [Compare Source](https://github.com/keycloak/keycloak/compare/26.6.3...26.6.4) <div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Security fixes</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/50344">#&#8203;50344</a> CVE-2026-9099 Keycloak: group-admin escalation to realm-admin </li> <li><a href="https://github.com/keycloak/keycloak/issues/50345">#&#8203;50345</a> CVE-2026-9083 Keycloak: keycloak: information disclosure through arbitrary filesystem path probing </li> <li><a href="https://github.com/keycloak/keycloak/issues/50347">#&#8203;50347</a> CVE-2026-9086 Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass </li> <li><a href="https://github.com/keycloak/keycloak/issues/50349">#&#8203;50349</a> CVE-2026-9705 Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token </li> <li><a href="https://github.com/keycloak/keycloak/issues/50350">#&#8203;50350</a> CVE-2026-9795 Keycloak: keycloak: privilege escalation via improper scope mapping enforcement </li> <li><a href="https://github.com/keycloak/keycloak/issues/50351">#&#8203;50351</a> CVE-2026-9799 Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass </li> <li><a href="https://github.com/keycloak/keycloak/issues/50352">#&#8203;50352</a> CVE-2026-9800 Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison </li> <li><a href="https://github.com/keycloak/keycloak/issues/50357">#&#8203;50357</a> CVE-2026-11800 Keycloak: Authentication bypass via JWT algorithm confusion </li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/50100">#&#8203;50100</a> Upgrade to Quarkus 3.33.2.1 </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47999">#&#8203;47999</a> [Keycloak JavaScript CI] - Build Keycloak <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49639">#&#8203;49639</a> Keycloak Admin Client tests fails in CI <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49700">#&#8203;49700</a> Incorrect migration guide reference <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49707">#&#8203;49707</a> Cannot build project due to ISPN protoschema and 26.2 branch <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49733">#&#8203;49733</a> keycloak-api-docs-dist is not deployable <code>dist/quarkus</code></li> </ul> </div> ### [`v26.6.3`](https://github.com/keycloak/keycloak/releases/tag/26.6.3) [Compare Source](https://github.com/keycloak/keycloak/compare/26.6.2...26.6.3) <div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Security fixes</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47707">#&#8203;47707</a> CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47935">#&#8203;47935</a> [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48036">#&#8203;48036</a> [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48709">#&#8203;48709</a> [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled <code>account/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48805">#&#8203;48805</a> CVE-2026-42581 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization </li> <li><a href="https://github.com/keycloak/keycloak/issues/49118">#&#8203;49118</a> [CVE-2026-8922] OIDC token introspection ignores realm-level notBefore when client-level notBefore is set <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49133">#&#8203;49133</a> [CVE-2026-8830] Missing server-side WebAuthn validations during credential registration <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49174">#&#8203;49174</a> [CVE-2026-9088] Group Members Endpoint Bypasses User Profile Permissions <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49175">#&#8203;49175</a> [CVE-2026-9087] Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49426">#&#8203;49426</a> [CVE-2026-9802] Server restart resets startupTime, allowing reuse of rotated refresh tokens when revokeRefreshToken=true <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49428">#&#8203;49428</a> [CVE-2026-9794] SAML ECP faultstring discloses client existence and configuration state <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49431">#&#8203;49431</a> [CVE-2026-9791] Organization data exposed in tokens and account API when Organizations feature is disabled at realm level <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49433">#&#8203;49433</a> [CVE-2026-0707] ClientRegistrationAuth DoS via malformed Authorization header (CVE-2026-0707 incomplete fix) <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49434">#&#8203;49434</a> [CVE-2026-9801] DoS in LDAP federation via malformed PasswordPolicyControl <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49435">#&#8203;49435</a> [CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49436">#&#8203;49436</a> [CVE-2026-9792] ROPC grant bypass in client policy enforcement <code>oidc</code></li> </ul> <h3>Weaknesses</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/48978">#&#8203;48978</a> UNSAFE_PATH_PATTERN regex to cover percent-encoded terminators and control characters <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48986">#&#8203;48986</a> Authorization Services: NullPointerException in UMA permission grant when stale permission ticket references removed scope <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48987">#&#8203;48987</a> Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49086">#&#8203;49086</a> Account resource sharing resolves recipient by username before email, granting access to wrong user <code>authorization-services</code></li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/48311">#&#8203;48311</a> Upgrade to Quarkus 3.33.2 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48695">#&#8203;48695</a> Add startup check for missing database indexes </li> <li><a href="https://github.com/keycloak/keycloak/issues/49148">#&#8203;49148</a> Add SPI option to disable FD_SOCK2 failure detection </li> <li><a href="https://github.com/keycloak/keycloak/issues/49526">#&#8203;49526</a> Update to simple-git 3.36.0 </li> <li><a href="https://github.com/keycloak/keycloak/issues/49530">#&#8203;49530</a> Update to uuid >=13.0.1 </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/45957">#&#8203;45957</a> Handling of CORS requests in the Admin UI ineffective / open for CSRF <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47036">#&#8203;47036</a> Account ResourceService user endpoint returns excessive user data in UMA-enabled realms <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48324">#&#8203;48324</a> UMA IS_ADMIN filter breaks ticket finding <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48430">#&#8203;48430</a> Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48432">#&#8203;48432</a> ClientAdapter using wrong value for isFrontChannelLogout <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48438">#&#8203;48438</a> Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48455">#&#8203;48455</a> ContextNotActiveException during error handling <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48464">#&#8203;48464</a> Incomplete SCIM schema definition for objects <code>scim</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48529">#&#8203;48529</a> Broken downstream docs formatting on Kubernetes topic <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48584">#&#8203;48584</a> Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48628">#&#8203;48628</a> Client registerNode and unregisterNode endpoints fail authenticating the client <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48681">#&#8203;48681</a> ExternalLinksTest: oasis-open.org/standard/saml/ returns 403 in CI causing flaky documentation check <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48716">#&#8203;48716</a> Missing index IDX_IDP_FOR_LOGIN and IDX_CLIENT_ATT_BY_NAME_VALUE for Microsoft SQL Server <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48744">#&#8203;48744</a> Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48792">#&#8203;48792</a> Virtual Thread checking is not working <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48806">#&#8203;48806</a> NPE when accessing Account UI and the ACCOUNT feature is disabled <code>account/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48877">#&#8203;48877</a> Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48904">#&#8203;48904</a> Consistent 500 on DELETE of realms via non-browser clients calling REST API <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49058">#&#8203;49058</a> Keycloak fails to run tests with embedded undertow <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49140">#&#8203;49140</a> Workflows documentation: offboarding example is incorrectly enclosing the list of revoked roles with double quotes <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49149">#&#8203;49149</a> Disable single thread sender in JGroups <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49151">#&#8203;49151</a> FIPS jobs fail in CI because java-25-openjdk-devel package is missing <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49163">#&#8203;49163</a> Enable JGroups message stats <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49194">#&#8203;49194</a> Use Java 25 again for FIPS jobs <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49222">#&#8203;49222</a> Incorrect link to Themes documentation <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49224">#&#8203;49224</a> Broken links in UI Customization Guide <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49263">#&#8203;49263</a> Use the PostgreSQL driver privacy option `logServerErrorDetail` <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49265">#&#8203;49265</a> Since Hibernate 7, the workaround to not log-and-throw Hibernate errors does not longer work <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49274">#&#8203;49274</a> JavaScript CI hangs when installing playwright <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49288">#&#8203;49288</a> Link issue in the documentation for https://www.rfc-editor.org/rfc/rfc7662 <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49356">#&#8203;49356</a> SAML async processing leaves a dangling threadlocal transaction <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49611">#&#8203;49611</a> Realm extensions require Bearer or Drop authorisation <code>admin/api</code></li> </ul> </div> ### [`v26.6.2`](https://github.com/keycloak/keycloak/releases/tag/26.6.2) [Compare Source](https://github.com/keycloak/keycloak/compare/26.6.1...26.6.2) <div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Security fixes</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47485">#&#8203;47485</a> CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service </li> <li><a href="https://github.com/keycloak/keycloak/issues/47486">#&#8203;47486</a> CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing </li> <li><a href="https://github.com/keycloak/keycloak/issues/47932">#&#8203;47932</a> [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48049">#&#8203;48049</a> [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48275">#&#8203;48275</a> CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48388">#&#8203;48388</a> [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48570">#&#8203;48570</a> [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/49108">#&#8203;49108</a> [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint </li> <li><a href="https://github.com/keycloak/keycloak/issues/49109">#&#8203;49109</a> [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak </li> <li><a href="https://github.com/keycloak/keycloak/issues/49110">#&#8203;49110</a> [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data </li> <li><a href="https://github.com/keycloak/keycloak/issues/49111">#&#8203;49111</a> [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover </li> <li><a href="https://github.com/keycloak/keycloak/issues/49112">#&#8203;49112</a> [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account </li> <li><a href="https://github.com/keycloak/keycloak/issues/49113">#&#8203;49113</a> [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens </li> <li><a href="https://github.com/keycloak/keycloak/issues/49114">#&#8203;49114</a> [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission </li> <li><a href="https://github.com/keycloak/keycloak/issues/49115">#&#8203;49115</a> [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access) </li> <li><a href="https://github.com/keycloak/keycloak/issues/49116">#&#8203;49116</a> [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration </li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47728">#&#8203;47728</a> Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide </li> <li><a href="https://github.com/keycloak/keycloak/issues/47734">#&#8203;47734</a> Add dedicated "Monitoring Standbys" section to the general installation documentation </li> <li><a href="https://github.com/keycloak/keycloak/issues/48329">#&#8203;48329</a> JDBC_PING in 26.6 should not fail with 26.7 schema changes </li> <li><a href="https://github.com/keycloak/keycloak/issues/48348">#&#8203;48348</a> Escape expressions in JS blocks in FTL pages </li> <li><a href="https://github.com/keycloak/keycloak/issues/48687">#&#8203;48687</a> Upgrade to Quarkus 3.33.1.1 </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/38526">#&#8203;38526</a> Duplicate user attribute values cannot be removed <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40602">#&#8203;40602</a> Account UI reports "Something went wrong" when opening an unknown path <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47882">#&#8203;47882</a> Broken link in deploy-cnpg <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47901">#&#8203;47901</a> Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47915">#&#8203;47915</a> FreeMarker templates allow instantiation of new objects and even running OS commands <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47987">#&#8203;47987</a> FGAP v2 Specific Group permission has no scopes found in resource <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48030">#&#8203;48030</a> Update to operator version 26.6.0 needs deletion of all objects <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48040">#&#8203;48040</a> User session limit generates fatal error <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48094">#&#8203;48094</a> Wrong referenced resource type in Workflow handling for clients <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48123">#&#8203;48123</a> Clarify canonicalization in X.509 authentication <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48143">#&#8203;48143</a> Ordering of permission and policy calls leads to exposure of a client ID <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48185">#&#8203;48185</a> Deleted workflow still attempting to run <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48241">#&#8203;48241</a> JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48259">#&#8203;48259</a> Kubernetes identity providers docs still mention it to be a preview feature <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48313">#&#8203;48313</a> No escape approach for JS code inside the front channel logout FTL <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48536">#&#8203;48536</a> Review migration guide for rolling updates changes <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48629">#&#8203;48629</a> WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout <code>ci</code></li> </ul> </div> ### [`v26.6.1`](https://github.com/keycloak/keycloak/releases/tag/26.6.1) [Compare Source](https://github.com/keycloak/keycloak/compare/26.6.0...26.6.1) <div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Security fixes</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47276">#&#8203;47276</a> CVE-2026-4366 Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47619">#&#8203;47619</a> CVE-2026-4633 Keycloak user enumeration via identity-first login <code>core</code></li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47839">#&#8203;47839</a> Update CloudNativePG to 1.29 </li> <li><a href="https://github.com/keycloak/keycloak/issues/47909">#&#8203;47909</a> Database data at rest encryption </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/47435">#&#8203;47435</a> AuroraDB IT CI workflow not cleaning up databases <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47737">#&#8203;47737</a> deploy-testsuite profile is incomplete, causing discrete testsuite execution to fail <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47776">#&#8203;47776</a> False session type of access token in offline_access refresh token flow with scope parameter without offline_access scope <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47827">#&#8203;47827</a> az vm create fails with JSON parsing error <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47872">#&#8203;47872</a> v26.6.0 Operator flood logs with warnings <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47889">#&#8203;47889</a> Not possible to sync latest keycloak-admin-client to keycloak-client <code>admin/client-java</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47904">#&#8203;47904</a> @&#8203;keycloak/keycloak-admin-client fails to install in version 26.6.0 <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47905">#&#8203;47905</a> invalid package reference in keycloak-admin-ui <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47908">#&#8203;47908</a> MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47929">#&#8203;47929</a> User profile multiselect options not highlighted as selected in dropdown <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/47955">#&#8203;47955</a> IdentityProviderAuthenticator creates an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48015">#&#8203;48015</a> Missing explicit docs anchor for organizations <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/48032">#&#8203;48032</a> Endpoint Response Text during Bootstrap contains Typo: Boostrap <code>dist/quarkus</code></li> </ul> </div> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMCIsInVwZGF0ZWRJblZlciI6IjQzLjI1Ny4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Update Keycloak packages to v26.6.1
All checks were successful
/ Verify (pull_request) Successful in 1m13s
/ Verify (push) Successful in 1m13s
0efe1e9228
renovate force-pushed renovate/keycloak-packages from 0efe1e9228
All checks were successful
/ Verify (pull_request) Successful in 1m13s
/ Verify (push) Successful in 1m13s
to dada6353a0
All checks were successful
/ Verify (pull_request) Successful in 54s
/ Verify (push) Successful in 54s
2026-05-19 14:46:56 +02:00
Compare
renovate changed title from Update Keycloak packages to v26.6.1 to Update Keycloak packages 2026-05-19 14:46:56 +02:00
renovate changed title from Update Keycloak packages to Update Keycloak packages to v26.6.2 2026-05-19 15:02:06 +02:00
renovate force-pushed renovate/keycloak-packages from dada6353a0
All checks were successful
/ Verify (pull_request) Successful in 54s
/ Verify (push) Successful in 54s
to 3420dbce3b
All checks were successful
/ Verify (push) Successful in 53s
/ Verify (pull_request) Successful in 53s
2026-05-19 15:02:06 +02:00
Compare
renovate force-pushed renovate/keycloak-packages from 3420dbce3b
All checks were successful
/ Verify (push) Successful in 53s
/ Verify (pull_request) Successful in 53s
to 5624d45198
All checks were successful
/ Verify (push) Successful in 53s
/ Verify (pull_request) Successful in 1m9s
2026-06-04 19:02:21 +02:00
Compare
renovate changed title from Update Keycloak packages to v26.6.2 to Update Keycloak packages 2026-06-04 19:02:23 +02:00
renovate force-pushed renovate/keycloak-packages from 5624d45198
All checks were successful
/ Verify (push) Successful in 53s
/ Verify (pull_request) Successful in 1m9s
to edcdb200e6
All checks were successful
/ Verify (pull_request) Successful in 46s
/ Verify (push) Successful in 46s
2026-06-04 19:47:07 +02:00
Compare
renovate changed title from Update Keycloak packages to Update Keycloak packages to v26.6.3 2026-06-04 19:47:09 +02:00
renovate force-pushed renovate/keycloak-packages from edcdb200e6
All checks were successful
/ Verify (pull_request) Successful in 46s
/ Verify (push) Successful in 46s
to 372a08713a
All checks were successful
/ Verify (pull_request) Successful in 1m13s
/ Verify (push) Successful in 1m13s
2026-06-26 12:46:41 +02:00
Compare
renovate changed title from Update Keycloak packages to v26.6.3 to Update Keycloak packages 2026-06-26 12:46:41 +02:00
renovate force-pushed renovate/keycloak-packages from 372a08713a
All checks were successful
/ Verify (pull_request) Successful in 1m13s
/ Verify (push) Successful in 1m13s
to b907bb5ae8
All checks were successful
/ Verify (push) Successful in 52s
/ Verify (pull_request) Successful in 51s
2026-06-26 21:47:15 +02:00
Compare
renovate changed title from Update Keycloak packages to Update Keycloak packages to v26.6.4 2026-06-26 21:47:17 +02:00
renovate force-pushed renovate/keycloak-packages from b907bb5ae8
All checks were successful
/ Verify (push) Successful in 52s
/ Verify (pull_request) Successful in 51s
to e8dce3f49d
All checks were successful
/ Verify (push) Successful in 1m14s
/ Verify (pull_request) Successful in 1m14s
2026-07-09 09:01:50 +02:00
Compare
renovate changed title from Update Keycloak packages to v26.6.4 to Update Keycloak packages 2026-07-09 09:01:51 +02:00
renovate changed title from Update Keycloak packages to Update Keycloak packages to v26.7.0 2026-07-09 09:46:43 +02:00
renovate force-pushed renovate/keycloak-packages from e8dce3f49d
All checks were successful
/ Verify (push) Successful in 1m14s
/ Verify (pull_request) Successful in 1m14s
to f2bc46abf3
All checks were successful
/ Verify (push) Successful in 47s
/ Verify (pull_request) Successful in 48s
2026-07-09 09:46:44 +02:00
Compare
renovate force-pushed renovate/keycloak-packages from f2bc46abf3
All checks were successful
/ Verify (push) Successful in 47s
/ Verify (pull_request) Successful in 48s
to 1ea041dc7c
All checks were successful
/ Verify (pull_request) Successful in 57s
/ Verify (push) Successful in 57s
2026-07-18 14:16:59 +02:00
Compare
All checks were successful
/ Verify (pull_request) Successful in 57s
/ Verify (push) Successful in 57s
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/keycloak-packages:renovate/keycloak-packages
git switch renovate/keycloak-packages

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff renovate/keycloak-packages
git switch renovate/keycloak-packages
git rebase main
git switch main
git merge --ff-only renovate/keycloak-packages
git switch renovate/keycloak-packages
git rebase main
git switch main
git merge --no-ff renovate/keycloak-packages
git switch main
git merge --squash renovate/keycloak-packages
git switch main
git merge --ff-only renovate/keycloak-packages
git switch main
git merge renovate/keycloak-packages
git push origin main
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
CCCHH/keycloak-attribute-endpoints-provider!18
No description provided.