26.3.5
📦 keycloakView on GitHub →
🐛 7 fixes🔧 4 symbols
Summary
This release upgrades Keycloak to Quarkus 3.20.3 LTS and removes the explicit MariaDB connector dependency. Several security vulnerabilities related to Netty were also addressed.
Migration Steps
- Refer to the migration guide for a complete list of changes before upgrading: https://www.keycloak.org/docs/latest/upgrading/#migration-changes
🐛 Bug Fixes
- #41418: Access to user details for restricted admin fails after enabling organizationin realm
- #42405: Old hmac-generated (32bit) is recreated when order is changed in realm keys ui
- #42491: CVE-2025-58057 - Netty BrotliDecoder / Data Amplification vulnerability
- #42492: CVE-2025-58056 - Netty HTTP Request Smuggling vulnerability
- #42736: Reset password in admin UI with 'not recently used' password policy leads to error 'Device already exists with the same name'
- #42769: Missing switch "ID Token as detached signature" in the admin console client settings
- #42922: Dynamic Client Registration invalidates the realm cache