Download Latest Version
26.5.7 source code.tar.gz (42.0 MB)
Get an email when there's a new version of Keycloak
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #45493](https://github.com/href="https://github.com/keycloak/keycloak/issues/45493">/issues/45493) CVE-2025-14083 keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure
admin/api - #45569](https://github.com/href="https://github.com/keycloak/keycloak/issues/45569">/issues/45569) CVE-2026-1002 - io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files
- #47069](https://github.com/href="https://github.com/keycloak/keycloak/issues/47069">/issues/47069) CVE-2026-3429 Improper Access Control for LoA During Credential Deletion
account/api - #47716](https://github.com/href="https://github.com/keycloak/keycloak/issues/47716">/issues/47716) CVE-2026-4634 Keycloak Application-Level DoS via Scope Processing
- #47717](https://github.com/href="https://github.com/keycloak/keycloak/issues/47717">/issues/47717) CVE-2026-4636 UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
- #47718](https://github.com/href="https://github.com/keycloak/keycloak/issues/47718">/issues/47718) CVE-2026-3872 Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
- #47719](https://github.com/href="https://github.com/keycloak/keycloak/issues/47719">/issues/47719) CVE-2026-4282 Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
Enhancements
- #46631](https://github.com/href="https://github.com/keycloak/keycloak/issues/46631">/issues/46631) Upgrade to Quarkus 3.27.3
dist/quarkus
Bugs
- #45204](https://github.com/href="https://github.com/keycloak/keycloak/issues/45204">/issues/45204) Call without Host header throws uncaught error
core
