Change8

26.6.3

📦 keycloakView on GitHub →
5 features🐛 37 fixes🔧 17 symbols

Summary

This release focuses heavily on security fixes, addressing numerous CVEs across various components like OIDC, SAML, and LDAP. It also includes several enhancements such as upgrading Quarkus and adding startup checks for database indexes.

Migration Steps

  1. Before upgrading refer to the migration guide for a complete list of changes.

✨ New Features

  • #48311 Upgrade to Quarkus 3.33.2
  • #48695 Add startup check for missing database indexes
  • #49148 Add SPI option to disable FD_SOCK2 failure detection
  • #49526 Update to simple-git 3.36.0
  • #49530 Update to uuid >=13.0.1

🐛 Bug Fixes

  • #47707 CVE-2026-4800 lodash vulnerable to Code Injection via _.template imports key names
  • #47935 [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation
  • #48036 [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint
  • #48709 [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled
  • #48805 CVE-2026-42581 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
  • #49118 [CVE-2026-8922] OIDC token introspection ignores realm-level notBefore when client-level notBefore is set
  • #49133 [CVE-2026-8830] Missing server-side WebAuthn validations during credential registration
  • #49174 [CVE-2026-9088] Group Members Endpoint Bypasses User Profile Permissions
  • #49175 [CVE-2026-9087] Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login
  • #49426 [CVE-2026-9802] Server restart resets startupTime, allowing reuse of rotated refresh tokens when revokeRefreshToken=true
  • #49428 [CVE-2026-9794] SAML ECP faultstring discloses client existence and configuration state
  • #49431 [CVE-2026-9791] Organization data exposed in tokens and account API when Organizations feature is disabled at realm level
  • #49433 [CVE-2026-0707] ClientRegistrationAuth DoS via malformed Authorization header (CVE-2026-0707 incomplete fix)
  • #49434 [CVE-2026-9801] DoS in LDAP federation via malformed PasswordPolicyControl
  • #49435 [CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange
  • #49436 [CVE-2026-9792] ROPC grant bypass in client policy enforcement
  • #48978 UNSAFE_PATH_PATTERN regex to cover percent-encoded terminators and control characters
  • #48986 Authorization Services: NullPointerException in UMA permission grant when stale permission ticket references removed scope
  • #48987 Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting
  • #49086 Account resource sharing resolves recipient by username before email, granting access to wrong user
  • #45957 Handling of CORS requests in the Admin UI ineffective / open for CSRF
  • #47036 Account ResourceService user endpoint returns excessive user data in UMA-enabled realms
  • #48324 UMA IS_ADMIN filter breaks ticket finding
  • #48430 Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname
  • #48432 ClientAdapter using wrong value for isFrontChannelLogout
  • #48438 Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted
  • #48455 ContextNotActiveException during error handling
  • #48464 Incomplete SCIM schema definition for objects
  • #48529 Broken downstream docs formatting on Kubernetes topic
  • #48584 Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation
  • #48628 Client registerNode and unregisterNode endpoints fail authenticating the client
  • #48681 ExternalLinksTest: oasis-open.org/standard/saml/ returns 403 in CI causing flaky documentation check
  • #48716 Missing index IDX_IDP_FOR_LOGIN and IDX_CLIENT_ATT_BY_NAME_VALUE for Microsoft SQL Server
  • #48744 Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication
  • #48792 Virtual Thread checking is not working
  • #48806 NPE when accessing Account UI and the ACCOUNT feature is disabled
  • #48877 Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset

Affected Symbols