26.6.1
📦 keycloakView on GitHub →
✨ 2 features🐛 15 fixes🔧 12 symbols
Summary
This release addresses several security vulnerabilities, enhances database encryption, and resolves numerous bugs across various components including the admin UI, clients, and core functionality.
Migration Steps
- Refer to the migration guide for a complete list of changes before upgrading.
✨ New Features
- Update CloudNativePG to 1.29
- Database data at rest encryption
🐛 Bug Fixes
- Fixed Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling (#47276)
- Fixed Keycloak user enumeration via identity-first login (#47619)
- Fixed AuroraDB IT CI workflow not cleaning up databases (#47435)
- Fixed incomplete deploy-testsuite profile causing discrete testsuite execution to fail (#47737)
- Fixed false session type of access token in offline_access refresh token flow with scope parameter without offline_access scope (#47776)
- Fixed az vm create failing with JSON parsing error (#47827)
- Fixed Operator flood logs with warnings in version 26.6.0 (#47872)
- Fixed inability to sync latest keycloak-admin-client to keycloak-client (#47889)
- Fixed @keycloak/keycloak-admin-client failing to install in version 26.6.0 (#47904)
- Fixed invalid package reference in keycloak-admin-ui (#47905)
- Fixed MigrateTo26_6_0 modifying custom browser flows, breaking existing realm authentication (#47908)
- Fixed user profile multiselect options not highlighted as selected in dropdown (#47929)
- Fixed IdentityProviderAuthenticator creating an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint (#47955)
- Fixed missing explicit docs anchor for organizations (#48015)
- Fixed typo in Endpoint Response Text during Bootstrap: Boostrap (#48032)