Change8

26.3.3

Breaking Changes
📦 keycloakView on GitHub →
2 breaking🐛 24 fixes🔧 21 symbols

Summary

This release focuses on stability, upgrading core dependencies like Quarkus and Infinispan, and resolving numerous bugs across LDAP synchronization, OIDC flows, cluster stability, and documentation errors. Several template and API backward incompatibilities were introduced or fixed.

⚠️ Breaking Changes

  • Breaking template change: Unknown `locale` input field added to user-profile registration page. This may affect custom themes or templates related to user profile registration.
  • Backwards incompatible changes to 26.3.0 cause NullPointerException when requesting /certificates/jwt.credential/generate-and-download. Review usage of the JWT credential generation endpoint.

Migration Steps

  1. Before upgrading refer to https://www.keycloak.org/docs/latest/upgrading/#migration-changes for a complete list of changes.

🐛 Bug Fixes

  • #41558: Ensure cache configuration has correct number of owners.
  • #41934: Update to Infinispan 15.0.19.Final.
  • #41963: Upgrade to Quarkus 3.20.2.1 in dist/quarkus.
  • #39562: Fix for Unknown `locale` input field added to user-profile registration page.
  • #40984: Fix for backchannel logout token with an unexpected signature algorithm key in oidc.
  • #41023: Fix issue preventing sending e-mails to international e-mail addresses due to bad UTF-8 syntax in core.
  • #41098: Fix for being locked out after upgrade to 26.3.1 due to missing sub in lightweight access token in core.
  • #41268: Fix incompatibility between `--optimized` flag and providers jar when used with tools changing `last-modify-date` in dist/quarkus.
  • #41290: Fix concurrent starts with JDBC_PING leading to a split cluster in infinispan.
  • #41390: Fix JDBC_PING2 not merging split clusters after a while in infinispan.
  • #41421: Fix broken link securing-cache-communication in caching docs.
  • #41423: Fix duplicate IDs in generated all configuration docs.
  • #41469: Fix uncaught exception cases unclosed spans in tracing in dist/quarkus.
  • #41488: Synchronize Maven surefire plugin with Quarkus in dist/quarkus.
  • #41491: Fix broken ExternalLinks in documentation.
  • #41520: Fix LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and KERBEROS_PRINCIPAL was null on creation.
  • #41532: Fix LDAP Sync all users taking unexpectedly long in 26.3 in ldap.
  • #41537: Fix error 405 "Method Not Allowed" when calling the "certs" endpoint with HEAD method in oidc.
  • #41643: Fix test SMTP connection failure when no port is specified in admin/api.
  • #41663: Fix typo in the caching doc.
  • #41677: Fix provider default regression in dist/quarkus.
  • #41808: Address CVE-2025-7962 by fixing SMTP Injection vulnerability related to Jakarta Mail 2.0.2.
  • #41842: Fix memberOf attribute empty or values with a DN that does not match the role base DN fetching all roles in ldap.
  • #41945: Fix issue where credentials having not-unique labels cannot be used after upgrade to 26.3.

Affected Symbols

user-profile registration pageoidc backchannel logout tokencore email sendingcore lightweight access tokendist/quarkus `--optimized` flaginfinispan JDBC_PINGinfinispan JDBC_PING2caching docs securing-cache-communicationdocs configuration generationdist/quarkus tracing spansdist/quarkus Maven surefire plugindocs ExternalLinksldap import/syncoidc certs endpointadmin/api SMTP connection testcaching docdist/quarkus provider defaultcore Jakarta Mailldap memberOf attribute/certificates/jwt.credential/generate-and-downloadlogin/ui Credentials label uniqueness