Change8

26.5.5

📦 keycloakView on GitHub →
🐛 4 fixes

Summary

This release focuses primarily on security fixes, addressing several CVEs related to SAML broker vulnerabilities and improper enforcement of disabled identity providers.

Migration Steps

  1. Refer to the migration guide for a complete list of changes before upgrading.

🐛 Bug Fixes

  • Fixed CVE-2026-3047: SAML broker authentication bypass due to disabled SAML client completing IdP-initiated login.
  • Fixed CVE-2026-3009: Improper Enforcement of Disabled Identity Provider in IdentityBrokerService.
  • Fixed CVE-2026-2603: Disabled SAML IdP still allows IdP-initiated broker login.
  • Fixed CVE-2026-2092: Addressed SAML broker encrypted assertion injection vulnerability.