Change8

26.1.3

📦 keycloakView on GitHub →
1 features🐛 21 fixes🔧 12 symbols

Summary

This release introduces a security enhancement to force federated users to re-login after resetting credentials by defaulting the 'force-login' option to 'only-federated' in the reset email authenticator. It also resolves numerous bugs across UI, authentication, storage, and addresses several CVEs.

Migration Steps

  1. Refer to the migration guide for a complete list of changes before upgrading: file:/home/runner/work/keycloak-rel/keycloak-rel/target/web/docs/latest/upgrading/#migration-changes

✨ New Features

  • The 'reset-credential-email' authenticator now defaults to 'only-federated' for the 'force-login' option, meaning federated users are forced to log in again after resetting credentials, while internal database users are not.

🐛 Bug Fixes

  • Fixed invalid migration export for empty database (#32535).
  • Fixed redirect issue after linking account (#36405).
  • Fixed requirement for 'view-realm'-role when viewing user events (#36527).
  • Fixed broken Keycloak user attribute key in Keycloak 26.1.0 (#36585).
  • Fixed issue where 'hide on login' setting was turned off when linking IDP to an organization (#36703).
  • Fixed SAML2 Client Signing Keys Config not accepting PEM import (#36709).
  • Fixed comboboxes not displaying selected option after reset (#36842).
  • Fixed MeterFilter being configured after a Meter has been registered (#36927).
  • Addressed CVE-2025-0736: Error during JGroups channel creation may reveal secure information (#36965).
  • Fixed inability to edit user profile attribute in the admin console (form or JSON editor) (#36985).
  • Fixed CI failure with "Problem creating zip: Execution exception: Java heap space" (#37029).
  • Fixed error on import of a public key (pem) (#37066).
  • Fixed issue where customized quarkus.properties for MySQL caused the server to fail starting due to missing H2 driver (#37128).
  • Fixed wrong organization claim assignment in JWT access token (#37169).
  • Fixed login form allowing determination of existing email addresses/usernames (#37229).
  • Fixed problems changing pre-defined user profile attributes (#37268).
  • Upgraded to the latest JGroups patch version (#37285).
  • Addressed CVE-2024-47072: XStream vulnerability to Denial of Service attack via stack overflow from manipulated binary input stream (#37360).
  • Fixed password policies like NoUsername considering case-sensitivity (#37431).
  • Fixed failing External Link Test (#37434).
  • Fixed property name casing mismatch in ProtocolMapperUtils (#37577).

Affected Symbols

reset-credential-emailforce-logincoreaccount/uiadmin/uidist/quarkusstorageauthenticationlogin/uiorganizationssamldocs