26.5.3
📦 keycloakView on GitHub →
🐛 12 fixes🔧 4 symbols
Summary
This release focuses heavily on security fixes, addressing several CVEs related to token grants and authorization checks. It also includes numerous bug fixes addressing memory consumption, client token refreshing, and CI/testing stability.
Migration Steps
- Refer to the migration guide for a complete list of changes before upgrading.
🐛 Bug Fixes
- Fixed CVE-2026-1609: Disabled users can no longer obtain tokens via JWT Authorization Grant.
- Fixed CVE-2026-1529: Resolved issue where a forged invitation JWT enabled cross-organization self-registration.
- Fixed CVE-2026-1486: Addressed logic bypass in JWT Authorization Grant that allowed authentication via disabled Identity Providers.
- Fixed CVE-2025-14778: Corrected incorrect ownership checks in /uma-policy/.
- Fixed Node.js admin client not refreshing tokens.
- Resolved k8s multiple restart (oomkilled) issues during startup in v26.5.0-0 due to RAM usage.
- Addressed increased startup memory consumption observed in post 26.5 versions.
- Fixed Hibernate Validator being enabled by default when not explicitly used.
- Fixed unexpected value '' in mixed-cluster-compatibility-tests.
- Resolved failure in mixed-cluster-compatibility-tests due to incorrectly masked content in 26.5 branch.
- Corrected broken YAML indentation in operator rolling updates documentation.
- Removed fatal log messages from `ConsistentHash`.