Download Latest Version
26.3.3 source code.tar.gz (39.8 MB)
Get an email when there's a new version of Keycloak
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #41558](https://github.com/href="https://github.com/keycloak/keycloak/issues/41558">/issues/41558) Ensure cache configuration has correct number of owners
- #41934](https://github.com/href="https://github.com/keycloak/keycloak/issues/41934">/issues/41934) Infinispan 15.0.19.Final
- #41963](https://github.com/href="https://github.com/keycloak/keycloak/issues/41963">/issues/41963) Upgrade to Quarkus 3.20.2.1
dist/quarkus
Bugs
- #39562](https://github.com/href="https://github.com/keycloak/keycloak/issues/39562">/issues/39562) Breaking template change: Unknown `locale` input field added to user-profile registration page
user-profile - #40984](https://github.com/href="https://github.com/keycloak/keycloak/issues/40984">/issues/40984) Backchannel logout token with an unexpected signature algorithm key
oidc - #41023](https://github.com/href="https://github.com/keycloak/keycloak/issues/41023">/issues/41023) Can't send e-mails to international e-mail addresses: bad UTF-8 syntax
core - #41098](https://github.com/href="https://github.com/keycloak/keycloak/issues/41098">/issues/41098) Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token
core - #41268](https://github.com/href="https://github.com/keycloak/keycloak/issues/41268">/issues/41268) `--optimized` flag and providers jar are incompatible when used with tools changing `last-modify-date`
dist/quarkus - #41290](https://github.com/href="https://github.com/keycloak/keycloak/issues/41290">/issues/41290) Concurrent starts with JDBC_PING lead to a split cluster
infinispan - #41390](https://github.com/href="https://github.com/keycloak/keycloak/issues/41390">/issues/41390) JDBC_PING2 doesn't merge split clusters after a while
infinispan - #41421](https://github.com/href="https://github.com/keycloak/keycloak/issues/41421">/issues/41421) Broken link securing-cache-communication in caching docs
docs - #41423](https://github.com/href="https://github.com/keycloak/keycloak/issues/41423">/issues/41423) Duplicate IDs in generated all configuration docs
docs - #41469](https://github.com/href="https://github.com/keycloak/keycloak/issues/41469">/issues/41469) Uncaught exception cases unclosed spans in tracing
dist/quarkus - #41488](https://github.com/href="https://github.com/keycloak/keycloak/issues/41488">/issues/41488) Synchronize Maven surefire plugin with Quarkus
dist/quarkus - #41491](https://github.com/href="https://github.com/keycloak/keycloak/issues/41491">/issues/41491) ExternalLinks are broken in documentation
docs - #41520](https://github.com/href="https://github.com/keycloak/keycloak/issues/41520">/issues/41520) LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and KERBEROS_PRINCIPAL was null on creation
ldap - #41532](https://github.com/href="https://github.com/keycloak/keycloak/issues/41532">/issues/41532) LDAP Sync all users takes unexpectedly long in 26.3 (> 30 min)
ldap - #41537](https://github.com/href="https://github.com/keycloak/keycloak/issues/41537">/issues/41537) Getting error 405 "Method Not Allowed" when calling the "certs" endpoint with HEAD method
oidc - #41643](https://github.com/href="https://github.com/keycloak/keycloak/issues/41643">/issues/41643) Test SMTP connection fails when no port is specified
admin/api - #41663](https://github.com/href="https://github.com/keycloak/keycloak/issues/41663">/issues/41663) Typo in the caching doc
docs - #41677](https://github.com/href="https://github.com/keycloak/keycloak/issues/41677">/issues/41677) Provider default regression
dist/quarkus - #41808](https://github.com/href="https://github.com/keycloak/keycloak/issues/41808">/issues/41808) CVE-2025-7962 In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages
core - #41842](https://github.com/href="https://github.com/keycloak/keycloak/issues/41842">/issues/41842) memberOf attribute empty or values with a DN that does not match the role base DN fetches all roles
ldap - #41906](https://github.com/href="https://github.com/keycloak/keycloak/issues/41906">/issues/41906) Backwards incompatible changes to 26.3.0 cause NullPoointerException when requesting /certificates/jwt.credential/generate-and-download
authentication - #41945](https://github.com/href="https://github.com/keycloak/keycloak/issues/41945">/issues/41945) After upgrade to 26.3: Not possible to use Credentials having not-unique label
login/ui