Keycloak Files

Identity and access management for modern applications and services

This is an exact mirror of the Keycloak project, hosted at https://github.com/keycloak/keycloak. SourceForge is not affiliated with Keycloak.

The interactive file manager requires Javascript. Please enable it or use sftp or scp.
You may still browse the files here.

Name	Modified	Size	InfoDownloads / Week
Parent folder
keycloak-ui-shared-26.6.3.tgz	2026-06-04	84.8 kB	0
keycloak-documentation-26.6.3.zip.asc	2026-06-04	228 Bytes	0
keycloak-documentation-26.6.3.zip.md5	2026-06-04	32 Bytes	0
keycloak-documentation-26.6.3.zip.sha1	2026-06-04	40 Bytes	0
keycloak-api-docs-26.6.3.zip	2026-06-04	33.0 MB	0
keycloak-api-docs-26.6.3.zip.asc	2026-06-04	228 Bytes	0
keycloak-api-docs-26.6.3.zip.md5	2026-06-04	32 Bytes	0
keycloak-api-docs-26.6.3.zip.sha1	2026-06-04	40 Bytes	0
keycloak-documentation-26.6.3.zip	2026-06-04	26.4 MB	0
keycloak-26.6.3.zip.asc	2026-06-04	228 Bytes	0
keycloak-26.6.3.zip.md5	2026-06-04	32 Bytes	0
keycloak-26.6.3.zip.sha1	2026-06-04	40 Bytes	0
keycloak-account-ui-26.6.3.tgz	2026-06-04	764.3 kB	0
keycloak-admin-client-26.6.3.tgz	2026-06-04	75.2 kB	0
keycloak-admin-ui-26.6.3.tgz	2026-06-04	3.7 MB	0
keycloak-26.6.3.tar.gz	2026-06-04	174.1 MB	0
keycloak-26.6.3.tar.gz.asc	2026-06-04	228 Bytes	0
keycloak-26.6.3.tar.gz.md5	2026-06-04	32 Bytes	0
keycloak-26.6.3.tar.gz.sha1	2026-06-04	40 Bytes	1
keycloak-26.6.3.zip	2026-06-04	174.3 MB	1
26.6.3 source code.tar.gz	2026-06-04	43.4 MB	0
26.6.3 source code.zip	2026-06-04	53.7 MB	2
README.md	2026-06-04	15.7 kB	0
Totals: 23 Items		509.5 MB	4

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#47707](https://github.com/href="https://github.com/keycloak/keycloak/issues/47707">/issues/47707) CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names account/ui
#47935](https://github.com/href="https://github.com/keycloak/keycloak/issues/47935">/issues/47935) [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation oidc
#48036](https://github.com/href="https://github.com/keycloak/keycloak/issues/48036">/issues/48036) [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint authorization-services
#48709](https://github.com/href="https://github.com/keycloak/keycloak/issues/48709">/issues/48709) [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled account/api
#48805](https://github.com/href="https://github.com/keycloak/keycloak/issues/48805">/issues/48805) CVE-2026-42581 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
#49118](https://github.com/href="https://github.com/keycloak/keycloak/issues/49118">/issues/49118) [CVE-2026-8922] OIDC token introspection ignores realm-level notBefore when client-level notBefore is set oidc
#49133](https://github.com/href="https://github.com/keycloak/keycloak/issues/49133">/issues/49133) [CVE-2026-8830] Missing server-side WebAuthn validations during credential registration authentication/webauthn
#49174](https://github.com/href="https://github.com/keycloak/keycloak/issues/49174">/issues/49174) [CVE-2026-9088] Group Members Endpoint Bypasses User Profile Permissions admin/fine-grained-permissions
#49175](https://github.com/href="https://github.com/keycloak/keycloak/issues/49175">/issues/49175) [CVE-2026-9087] Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login identity-brokering
#49426](https://github.com/href="https://github.com/keycloak/keycloak/issues/49426">/issues/49426) [CVE-2026-9802] Server restart resets startupTime, allowing reuse of rotated refresh tokens when revokeRefreshToken=true oidc
#49428](https://github.com/href="https://github.com/keycloak/keycloak/issues/49428">/issues/49428) [CVE-2026-9794] SAML ECP faultstring discloses client existence and configuration state saml
#49431](https://github.com/href="https://github.com/keycloak/keycloak/issues/49431">/issues/49431) [CVE-2026-9791] Organization data exposed in tokens and account API when Organizations feature is disabled at realm level organizations
#49433](https://github.com/href="https://github.com/keycloak/keycloak/issues/49433">/issues/49433) [CVE-2026-0707] ClientRegistrationAuth DoS via malformed Authorization header (CVE-2026-0707 incomplete fix) admin/api
#49434](https://github.com/href="https://github.com/keycloak/keycloak/issues/49434">/issues/49434) [CVE-2026-9801] DoS in LDAP federation via malformed PasswordPolicyControl ldap
#49435](https://github.com/href="https://github.com/keycloak/keycloak/issues/49435">/issues/49435) [CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange oidc
#49436](https://github.com/href="https://github.com/keycloak/keycloak/issues/49436">/issues/49436) [CVE-2026-9792] ROPC grant bypass in client policy enforcement oidc

Weaknesses

#48978](https://github.com/href="https://github.com/keycloak/keycloak/issues/48978">/issues/48978) UNSAFE_PATH_PATTERN regex to cover percent-encoded terminators and control characters oidc
#48986](https://github.com/href="https://github.com/keycloak/keycloak/issues/48986">/issues/48986) Authorization Services: NullPointerException in UMA permission grant when stale permission ticket references removed scope authorization-services
#48987](https://github.com/href="https://github.com/keycloak/keycloak/issues/48987">/issues/48987) Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting authorization-services
#49086](https://github.com/href="https://github.com/keycloak/keycloak/issues/49086">/issues/49086) Account resource sharing resolves recipient by username before email, granting access to wrong user authorization-services

Enhancements

#48311](https://github.com/href="https://github.com/keycloak/keycloak/issues/48311">/issues/48311) Upgrade to Quarkus 3.33.2 dist/quarkus
#48695](https://github.com/href="https://github.com/keycloak/keycloak/issues/48695">/issues/48695) Add startup check for missing database indexes
#49148](https://github.com/href="https://github.com/keycloak/keycloak/issues/49148">/issues/49148) Add SPI option to disable FD_SOCK2 failure detection
#49526](https://github.com/href="https://github.com/keycloak/keycloak/issues/49526">/issues/49526) Update to simple-git 3.36.0
#49530](https://github.com/href="https://github.com/keycloak/keycloak/issues/49530">/issues/49530) Update to uuid >=13.0.1

Bugs

#45957](https://github.com/href="https://github.com/keycloak/keycloak/issues/45957">/issues/45957) Handling of CORS requests in the Admin UI ineffective / open for CSRF admin/ui
#47036](https://github.com/href="https://github.com/keycloak/keycloak/issues/47036">/issues/47036) Account ResourceService user endpoint returns excessive user data in UMA-enabled realms core
#48324](https://github.com/href="https://github.com/keycloak/keycloak/issues/48324">/issues/48324) UMA IS_ADMIN filter breaks ticket finding authorization-services
#48430](https://github.com/href="https://github.com/keycloak/keycloak/issues/48430">/issues/48430) Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname oidc
#48432](https://github.com/href="https://github.com/keycloak/keycloak/issues/48432">/issues/48432) ClientAdapter using wrong value for isFrontChannelLogout oidc
#48438](https://github.com/href="https://github.com/keycloak/keycloak/issues/48438">/issues/48438) Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted core
#48455](https://github.com/href="https://github.com/keycloak/keycloak/issues/48455">/issues/48455) ContextNotActiveException during error handling core
#48464](https://github.com/href="https://github.com/keycloak/keycloak/issues/48464">/issues/48464) Incomplete SCIM schema definition for objects scim
#48529](https://github.com/href="https://github.com/keycloak/keycloak/issues/48529">/issues/48529) Broken downstream docs formatting on Kubernetes topic docs
#48584](https://github.com/href="https://github.com/keycloak/keycloak/issues/48584">/issues/48584) Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation core
#48628](https://github.com/href="https://github.com/keycloak/keycloak/issues/48628">/issues/48628) Client registerNode and unregisterNode endpoints fail authenticating the client core
#48681](https://github.com/href="https://github.com/keycloak/keycloak/issues/48681">/issues/48681) ExternalLinksTest: oasis-open.org/standard/saml/ returns 403 in CI causing flaky documentation check ci
#48716](https://github.com/href="https://github.com/keycloak/keycloak/issues/48716">/issues/48716) Missing index IDX_IDP_FOR_LOGIN and IDX_CLIENT_ATT_BY_NAME_VALUE for Microsoft SQL Server core
#48744](https://github.com/href="https://github.com/keycloak/keycloak/issues/48744">/issues/48744) Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication authentication
#48792](https://github.com/href="https://github.com/keycloak/keycloak/issues/48792">/issues/48792) Virtual Thread checking is not working infinispan
#48806](https://github.com/href="https://github.com/keycloak/keycloak/issues/48806">/issues/48806) NPE when accessing Account UI and the ACCOUNT feature is disabled account/api
#48877](https://github.com/href="https://github.com/keycloak/keycloak/issues/48877">/issues/48877) Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset ldap
#48904](https://github.com/href="https://github.com/keycloak/keycloak/issues/48904">/issues/48904) Consistent 500 on DELETE of realms via non-browser clients calling REST API admin/api
#49058](https://github.com/href="https://github.com/keycloak/keycloak/issues/49058">/issues/49058) Keycloak fails to run tests with embedded undertow dist/quarkus
#49140](https://github.com/href="https://github.com/keycloak/keycloak/issues/49140">/issues/49140) Workflows documentation: offboarding example is incorrectly enclosing the list of revoked roles with double quotes workflows
#49149](https://github.com/href="https://github.com/keycloak/keycloak/issues/49149">/issues/49149) Disable single thread sender in JGroups infinispan
#49151](https://github.com/href="https://github.com/keycloak/keycloak/issues/49151">/issues/49151) FIPS jobs fail in CI because java-25-openjdk-devel package is missing testsuite
#49163](https://github.com/href="https://github.com/keycloak/keycloak/issues/49163">/issues/49163) Enable JGroups message stats infinispan
#49194](https://github.com/href="https://github.com/keycloak/keycloak/issues/49194">/issues/49194) Use Java 25 again for FIPS jobs testsuite
#49222](https://github.com/href="https://github.com/keycloak/keycloak/issues/49222">/issues/49222) Incorrect link to Themes documentation docs
#49224](https://github.com/href="https://github.com/keycloak/keycloak/issues/49224">/issues/49224) Broken links in UI Customization Guide docs
#49263](https://github.com/href="https://github.com/keycloak/keycloak/issues/49263">/issues/49263) Use the PostgreSQL driver privacy option `logServerErrorDetail` dist/quarkus
#49265](https://github.com/href="https://github.com/keycloak/keycloak/issues/49265">/issues/49265) Since Hibernate 7, the workaround to not log-and-throw Hibernate errors does not longer work dist/quarkus
#49274](https://github.com/href="https://github.com/keycloak/keycloak/issues/49274">/issues/49274) JavaScript CI hangs when installing playwright testsuite
#49288](https://github.com/href="https://github.com/keycloak/keycloak/issues/49288">/issues/49288) Link issue in the documentation for https://www.rfc-editor.org/rfc/rfc7662 docs
#49356](https://github.com/href="https://github.com/keycloak/keycloak/issues/49356">/issues/49356) SAML async processing leaves a dangling threadlocal transaction dist/quarkus
#49611](https://github.com/href="https://github.com/keycloak/keycloak/issues/49611">/issues/49611) Realm extensions require Bearer or Drop authorisation admin/api

Source: README.md, updated 2026-06-04

Other Useful Business Software

$300 Free Credits for Your Google Cloud Projects Icon

$300 Free Credits for Your Google Cloud Projects

Start building on Google Cloud with $300 in free credits. No commitment, no credit card required until you're ready to scale.

Launch your next project with $300 in free Google Cloud credits—no strings attached. Test, build, and deploy without risk. Use your credits across the entire Google Cloud platform to find what works best for your needs. After your credits are used, continue with always-free tier services. Only pay when you're ready to scale. Sign up in minutes and start exploring.

Start Free Trial

Stop Cyber Threats with VM-Series Next-Gen Firewall on Azure Icon

Stop Cyber Threats with VM-Series Next-Gen Firewall on Azure

Native application identity and user-based security for your Azure cloud

Gain integrated visibility across all traffic in a single pass. Deploy Palo Alto Networks VM-Series to determine application identity and content while automating security policy updates via rich APIs.

Get a free trial

$300 Free Credits for Your Google Cloud Projects

Start building on Google Cloud with $300 in free credits. No commitment, no credit card required until you're ready to scale.

Launch your next project with $300 in free Google Cloud credits—no strings attached. Test, build, and deploy without risk. Use your credits across the entire Google Cloud platform to find what works best for your needs. After your credits are used, continue with always-free tier services. Only pay when you're ready to scale. Sign up in minutes and start exploring.

Start Free Trial

Recommended Projects

keycloak-config-cli
Import YAML/JSON-formatted configuration files into Keycloak
Pocket ID
Easy-to-use OIDC provider that allows to authenticate with passkeys
VoidAuth
Single Sign-On for Your Self-Hosted Universe
hydra
Cloud native, security-first, API security for your infrastructure
ORY Oathkeeper
A cloud native Identity & Access Proxy / API (IAP)