Download Latest Version
26.6.2 source code.tar.gz (43.4 MB)
Get an email when there's a new version of Keycloak
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #47485](https://github.com/href="https://github.com/keycloak/keycloak/issues/47485">/issues/47485) CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service
- #47486](https://github.com/href="https://github.com/keycloak/keycloak/issues/47486">/issues/47486) CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing
- #47932](https://github.com/href="https://github.com/keycloak/keycloak/issues/47932">/issues/47932) [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters
authorization-services - #48049](https://github.com/href="https://github.com/keycloak/keycloak/issues/48049">/issues/48049) [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler
organizations - #48275](https://github.com/href="https://github.com/keycloak/keycloak/issues/48275">/issues/48275) CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules
core - #48388](https://github.com/href="https://github.com/keycloak/keycloak/issues/48388">/issues/48388) [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration
authentication/webauthn - #48570](https://github.com/href="https://github.com/keycloak/keycloak/issues/48570">/issues/48570) [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs
core - #49108](https://github.com/href="https://github.com/keycloak/keycloak/issues/49108">/issues/49108) [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint
- #49109](https://github.com/href="https://github.com/keycloak/keycloak/issues/49109">/issues/49109) [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak
- #49110](https://github.com/href="https://github.com/keycloak/keycloak/issues/49110">/issues/49110) [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data
- #49111](https://github.com/href="https://github.com/keycloak/keycloak/issues/49111">/issues/49111) [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover
- #49112](https://github.com/href="https://github.com/keycloak/keycloak/issues/49112">/issues/49112) [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account
- #49113](https://github.com/href="https://github.com/keycloak/keycloak/issues/49113">/issues/49113) [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens
- #49114](https://github.com/href="https://github.com/keycloak/keycloak/issues/49114">/issues/49114) [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission
- #49115](https://github.com/href="https://github.com/keycloak/keycloak/issues/49115">/issues/49115) [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access)
- #49116](https://github.com/href="https://github.com/keycloak/keycloak/issues/49116">/issues/49116) [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration
Enhancements
- #47728](https://github.com/href="https://github.com/keycloak/keycloak/issues/47728">/issues/47728) Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide
- #47734](https://github.com/href="https://github.com/keycloak/keycloak/issues/47734">/issues/47734) Add dedicated "Monitoring Standbys" section to the general installation documentation
- #48329](https://github.com/href="https://github.com/keycloak/keycloak/issues/48329">/issues/48329) JDBC_PING in 26.6 should not fail with 26.7 schema changes
- #48348](https://github.com/href="https://github.com/keycloak/keycloak/issues/48348">/issues/48348) Escape expressions in JS blocks in FTL pages
- #48687](https://github.com/href="https://github.com/keycloak/keycloak/issues/48687">/issues/48687) Upgrade to Quarkus 3.33.1.1
Bugs
- #38526](https://github.com/href="https://github.com/keycloak/keycloak/issues/38526">/issues/38526) Duplicate user attribute values cannot be removed
core - #40602](https://github.com/href="https://github.com/keycloak/keycloak/issues/40602">/issues/40602) Account UI reports "Something went wrong" when opening an unknown path
account/ui - #47882](https://github.com/href="https://github.com/keycloak/keycloak/issues/47882">/issues/47882) Broken link in deploy-cnpg
docs - #47901](https://github.com/href="https://github.com/keycloak/keycloak/issues/47901">/issues/47901) Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled
admin/fine-grained-permissions - #47915](https://github.com/href="https://github.com/keycloak/keycloak/issues/47915">/issues/47915) FreeMarker templates allow instantiation of new objects and even running OS commands
login/ui - #47987](https://github.com/href="https://github.com/keycloak/keycloak/issues/47987">/issues/47987) FGAP v2 Specific Group permission has no scopes found in resource
admin/fine-grained-permissions - #48030](https://github.com/href="https://github.com/keycloak/keycloak/issues/48030">/issues/48030) Update to operator version 26.6.0 needs deletion of all objects
operator - #48040](https://github.com/href="https://github.com/keycloak/keycloak/issues/48040">/issues/48040) User session limit generates fatal error
authentication - #48094](https://github.com/href="https://github.com/keycloak/keycloak/issues/48094">/issues/48094) Wrong referenced resource type in Workflow handling for clients
core - #48123](https://github.com/href="https://github.com/keycloak/keycloak/issues/48123">/issues/48123) Clarify canonicalization in X.509 authentication
authentication - #48143](https://github.com/href="https://github.com/keycloak/keycloak/issues/48143">/issues/48143) Ordering of permission and policy calls leads to exposure of a client ID
admin/api - #48185](https://github.com/href="https://github.com/keycloak/keycloak/issues/48185">/issues/48185) Deleted workflow still attempting to run
workflows - #48241](https://github.com/href="https://github.com/keycloak/keycloak/issues/48241">/issues/48241) JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title
authentication - #48259](https://github.com/href="https://github.com/keycloak/keycloak/issues/48259">/issues/48259) Kubernetes identity providers docs still mention it to be a preview feature
docs - #48313](https://github.com/href="https://github.com/keycloak/keycloak/issues/48313">/issues/48313) No escape approach for JS code inside the front channel logout FTL
login/ui - #48536](https://github.com/href="https://github.com/keycloak/keycloak/issues/48536">/issues/48536) Review migration guide for rolling updates changes
workflows - #48629](https://github.com/href="https://github.com/keycloak/keycloak/issues/48629">/issues/48629) WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout
ci