26.4.6
📦 keycloakView on GitHub →
✨ 1 features🐛 11 fixes🔧 9 symbols
Summary
This release introduces a security enhancement by filtering LDAP referrals by default and resolves numerous bugs across security, infinispan, UI, and CI components.
Migration Steps
- If you cannot upgrade immediately, disable LDAP referrals in all LDAP providers in all of your realms.
- Review the upgrading guide for detailed upgrade instructions: https://www.keycloak.org/docs/latest/upgrading/index.html
- Refer to the migration guide for a complete list of changes before upgrading: https://www.keycloak.org/docs/latest/upgrading/#migration-changes
✨ New Features
- LDAP referrals are filtered by default for enhanced security.
🐛 Bug Fixes
- Fixed deserialization of untrusted data in LDAP user federation (#44478, CVE-2025-13467).
- Sessions are now correctly removed when a user is deleted in infinispan (#43323).
- UPDATE_EMAIL action no longer invalidates the old email (#43738).
- Resolved flaky test: org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest (#43754).
- Admin console now sends correct JSON payload with content-type: application/json (#43812).
- Fixed double-encoding of query parameter values (e.g. acr_values) for version 26.4 (#44125).
- Fixed broken links in Keycloak Docs CI (#44187).
- Resolved SQLIntegrityConstraintViolationException: Duplicate entry when using jdbc-ping with infinispan (#44189).
- Fixed unexpected FORMAT_FAILURE error when using cache-config-file with feature-disabled=persistent-user-sessions (#44229).
- Admin Client now creates correctly formed paths for requests (#44269).
- Caching of static theme resources in dev mode is no longer disabled (#44287).