Change8

26.5.2

📦 keycloakView on GitHub →
2 features🐛 16 fixes🔧 11 symbols

Summary

This release focuses heavily on security fixes, addressing several CVEs related to request smuggling, thread exhaustion, and unauthorized token issuance. It also includes numerous bug fixes across core components like Infinispan, OIDC, and database migrations.

Migration Steps

  1. Refer to the migration guide for a complete list of changes: https://www.keycloak.org/docs/latest/upgrading/#migration-changes

✨ New Features

  • Keycloak now warns when ISPN or JGROUPS is running in debug level logging (#43443).
  • OpenAPI artifacts are now ignored when disabled in dist/quarkus builds (#45498).

🐛 Bug Fixes

  • Fixed CVE-2025-67735: Addressed netty-codec-http Request Smuggling via CRLF Injection (#44994).
  • Resolved issue preventing SSO login when using a custom attribute with a default value in user-profile (#44785).
  • Fixed a deadlock in Infinispan virtual threads (#45015).
  • Corrected duplicate address claims in IDToken for oidc flows (#45250).
  • Ensured user admin events now correctly show role, group mapping, and reset password events in admin/ui (#45333).
  • Fixed database migration failure when updating to 26.5.0 on MS SQL (#45396).
  • Resolved issue where cache-remote-host became mandatory at build time when using the clusterless feature in infinispan (#45415).
  • Fixed vulnerability where Unmanaged Attributes Type (Only administrators can view) allowed admin API to set Unmanaged Attributes in user-profile (#45417).
  • Updated Admin REST API documentation to be current (#45474).
  • Fixed regression on MariaDB/MySQL where Organizations domain resolution failed due to ORG/ORG_DOMAIN collation mismatch (#45526).
  • Keycloak now rejects matrix parameters in URLs as they are not used (#45533).
  • Fixed CVE-2025-66560: Addressed Quarkus REST Worker Thread Exhaustion Vulnerability (#45570).
  • Updated Keycloak supported specs to list DPoP as supported in oidc (#45584).
  • Fixed OIDCIdentityProviderConfig issuer configuration issue related to token-exchange (#45590).
  • Resolved possible mismatch of charset/collation between columns on mysql/mariadb for organizations (#45597).
  • Fixed CVE-2025-14559: Addressed business logic flaw allowing unauthorized token issuance for disabled users in keycloak-services (#45651).

Affected Symbols

netty-codec-httpinfinispanuser-profileoidcadmin/uicoredist/quarkusdocsorganizationstoken-exchangekeycloak-services