Releases: keycloak/keycloak
nightly
Translations update from Hosted Weblate (#47305) * Updated translation for German Language: de Updated translation for German Language: de Updated translation for German Language: de Updated translation for German Language: de Updated translation for German Language: de Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net> Co-authored-by: Hosted Weblate <hosted@weblate.org> Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net> Signed-off-by: Hosted Weblate <hosted@weblate.org> * Updated translation for Russian Language: ru Updated translation for Russian Language: ru Co-authored-by: Anton Petrov <petrov9810@gmail.com> Co-authored-by: Hosted Weblate <hosted@weblate.org> Signed-off-by: Anton Petrov <petrov9810@gmail.com> Signed-off-by: Hosted Weblate <hosted@weblate.org> * Updated translation for Spanish Language: es Updated translation for Spanish Language: es Updated translation for Spanish Language: es Co-authored-by: Ariel Anthieni <aanthieni@kan.com.ar> Co-authored-by: Hosted Weblate <hosted@weblate.org> Signed-off-by: Ariel Anthieni <aanthieni@kan.com.ar> Signed-off-by: Hosted Weblate <hosted@weblate.org> * Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net> Co-authored-by: Hosted Weblate <hosted@weblate.org> Co-authored-by: Sylvain Pichon <service@spichon.fr> Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net> Signed-off-by: Hosted Weblate <hosted@weblate.org> Signed-off-by: Sylvain Pichon <service@spichon.fr> * Updated translation for Swedish Language: sv Updated translation for Swedish Language: sv Co-authored-by: Daniel Nylander <daniel@danielnylander.se> Co-authored-by: Hosted Weblate <hosted@weblate.org> Signed-off-by: Daniel Nylander <daniel@danielnylander.se> Signed-off-by: Hosted Weblate <hosted@weblate.org> --------- Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net> Signed-off-by: Hosted Weblate <hosted@weblate.org> Signed-off-by: Anton Petrov <petrov9810@gmail.com> Signed-off-by: Ariel Anthieni <aanthieni@kan.com.ar> Signed-off-by: Sylvain Pichon <service@spichon.fr> Signed-off-by: Daniel Nylander <daniel@danielnylander.se> Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net> Co-authored-by: Anton Petrov <petrov9810@gmail.com> Co-authored-by: Ariel Anthieni <aanthieni@kan.com.ar> Co-authored-by: Sylvain Pichon <service@spichon.fr> Co-authored-by: Daniel Nylander <daniel@danielnylander.se>
26.5.6
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #45645 CVE-2026-1180 - Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri
oidc - #45647 CVE-2026-1035 - Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition
oidc - #45650 CVE-2025-14777 - Keycloak IDOR in realm client creating/deleting
- #45653 CVE-2025-14082 keycloak-server: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure
- #46719 CVE-2026-3121 - Keycloak: Privilege escalation via manage-clients permission
- #46723 CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API
core - #46922 CVE-2026-3911 Keycloak: Information disclosure of disabled user attributes via administrative endpoint
user-profile - #47062 CVE-2026-2366 Authorization Bypass: Unprivileged tokens can enumerate user organization memberships
organizations
Bugs
- #45889 Federated user disabled when external DB unavailable, never re-enabled
storage - #46239 AUTH_SESSION_ID cookie reuse causes cross-user session contamination on re-authentication
authentication - #46296 UsersResource.search briefRepresentation started to return user attributes
admin/api - #46379 Unexpected error when logging out with offline session and external IDP
oidc - #46459 Operator-built DB config: targetServerType=primary not applied / connection validation not working after master-replica failover (26.5.0)
operator - #46588 Partial LDAP sync duration does not follow the defined value in user federation
ldap - #46605 26.5.4 startup regression with many realms: RealmCacheSession.prepareCachedRealm() scans master admin role composites per realm (O(N²))
core - #46656 Em-Hyphens in SPI options on cache configuration page
docs - #46663 JGroups bind port configuration ignored when --cache-embedded-network-bind-port set
infinispan - #46669 SPIFFE Client assertion throws a NullPointerException if no client is found
token-exchange - #47079 Do not allow fetching organizations of a member if not a member of the current organization
organizations
26.5.5
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #46909 CVE-2026-3047 SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login
- #46910 CVE-2026-3009 Improper Enforcement of Disabled Identity Provider in IdentityBrokerService
- #46911 CVE-2026-2603 Disabled SAML IdP still allows IdP-initiated broker login
- #46912 CVE-2026-2092 saml broker encrypted assertion injection
26.5.4
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #45646 CVE-2026-1190 - Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData
saml - #45649 CVE-2026-0707: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass
- #45776 CVE-2025-5416 keycloak-core: Keycloak Environment Information
- #46372 CVE-2026-2575 - Denial of Service due to excessive SAMLRequest decompression
saml - #46462 CVE-2026-2733 Missing Check on Disabled Client for Docker Registry Protocol
Enhancements
- #46090 New key affinity for session ids
Bugs
- #44488 "Update email" AIA: "Back to Application" URL invokes OIDC callback with missing parameters
oidc - #45065 Client deletion timeout due to large number of client roles
storage - #45680 auth_mellon (SAML) authentication fails after upgrade to 26.5.1 (from 26.4.6)
saml - #45728 Information Disclosure of Client Secret on Unauthenticated Config Endpoint
oidc - #45874 Disabled organizations still resolve in organization‑aware login flows
organizations - #45966 KeycloakRealmImport: Realm created in DB but not visible in Admin Console until restart
operator - #45980 Keycloak cluster with 3 nodes and jdbc-ping stack fails to rejoin after temporary network partition
infinispan - #46100 Makes Database Query on Every Login Page Load Instead of Using Cache
infinispan - #46150 Move upgrading note for SAML to 26.5.4
docs - #46178 Regression: cannot authenticate in keycloak-admin-client
adapter/javascript - #46290 Incorrect code used error, leading to "400 / Code already used" during Infinispan state transfers
infinispan - #46303 JWT Authorization Grant: Always getting “Token was issued too far in the past to be used now” for EntraID issued tokens
oidc - #46312 io.fabric8:docker-maven-plugin:0.40.3:start failed: Cannot invoke "com.google.gson.JsonElement.isJsonNull()" because the return value of "com.google.gson.JsonObject.get(String)" is null
ci
26.5.3
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #46144 CVE-2026-1609 Disabled users can still obtain tokens via JWT Authorization Grant
- #46145 CVE-2026-1529 Forged invitation JWT enables cross-organization self-registration
- #46146 CVE-2026-1486 Logic Bypass in JWT Authorization Grant Allows Authentication via Disabled Identity Providers
- #46147 CVE-2025-14778 Incorrect ownership checks in /uma-policy/
Enhancements
- #45892 Upgrade minikube for CI tests
operator
Bugs
- #44379 Node.js admin client does not refresh tokens
admin/client-js - #45459 k8s multiple restart (oomkilled) in v26.5.0-0 during startup because of RAM
dist/quarkus - #45662 Increase in startup memory consumption in post 26.5 versions
dist/quarkus - #45677 Hibernate Validator is enabled by default when not used
dist/quarkus - #45708 Unpexted value '' in mixed-cluster-compatibility-tests
testsuite - #45745 mixed-cluster-compatibility-tests fail due to incorrectly masked content in 26.5 branch
ci - #45755 Broken YAML indentation in operator rolling updates doc
docs - #45780 Remove fatal log messages from `ConsistentHash`
26.5.2
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #44994 CVE-2025-67735 - netty-codec-http: Request Smuggling via CRLF Injection
dependencies
Enhancements
- #43443 Keycloak should warn when ISPN or JGROUPS is running in debug level logging
- #45498 Ignore OpenAPI artifacts when disabled
dist/quarkus
Bugs
- #44785 Can not get through SSO login if using a custom attribute with default value
user-profile - #45015 Deadlock in Infinispan virtual threads
infinispan - #45250 IDToken contains duplicate address claims
oidc - #45333 User admin events don't show role, group mapping, reset password like events
admin/ui - #45396 Database Migration fails when updating to 26.5.0 on MS SQL
core - #45415 cache-remote-host becomes mandatory at build time when using clusterless feature
infinispan - #45417 Unmanaged Attributes Type (Only administrators can view) allows admin API to set Unmanaged Attributes
user-profile - #45474 Admin REST API document is not up to date
docs - #45526 Regression (26.5.1): Organizations domain resolution fails on MariaDB/MySQL due to ORG/ORG_DOMAIN collation mismatch
organizations - #45533 Keycloak should not allow matrix parameters in URLs as we don't use them
dist/quarkus - #45570 CVE-2025-66560 - io.quarkus/quarkus-rest: Quarkus REST Worker Thread Exhaustion Vulnerability
- #45584 Keycloak supported specs should list DPoP as supported
oidc - #45590 OIDCIdentityProviderConfig issuer configuration
token-exchange - #45597 Possible mismatch of charset/collation between columns on mysql/mariadb
organizations - #45651 CVE-2025-14559 keycloak-services: Keycloak keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users
26.5.1
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #44863 x-robots HTTP header missing for static Keycloak resources, and REST endpoint responses
- #45009 Performance improvement: Missing indexes on BROKER_LINK table columns
- #45182 Allow full managing of realms from master realm without global admin role
Bugs
- #43975 Test Framework -> Embedded server -> Maven execution failure: Failed to read script file from: scripts/default-policy.js
test-framework - #44371 403 Forbidden when assigning realm-management client roles despite FGAP disabled (regression in 26.4.0+)
admin/fine-grained-permissions - #44417 Security issue with Organization feature exposes and fills the account name automatically in user/password form
organizations - #44783 Create Realm button is missing when user has create-realm role
admin/ui - #44860 Admin UI: slow response time listing second user page
admin/ui - #45003 Bug in JWTClientAuthenticator and JWTClientSecretAuthenticator causes NPE
authentication - #45093 Enable visibility of Role Mapping tab for users with view-users role
admin/ui - #45107 Failed upgrade to 26.4.7 - sql generated for manual database upgrade contains invalid statements
storage - #45116 Realm-level admininistrators can no longer use Admin Console since 26.3.0 (UI fails to render)
admin/ui - #45185 ExternalLinkTest fails due to missing _adding_context_for_log_messages anchor
docs - #45226 Failure when decrypting SAML Response since 26.5.0
saml - #45239 Upgrade to 26.5.0 failing due to FK_ORG_INVITATION_ORG constraint
organizations - #45257 Creating IdentityProvider with latest java admin-client may fail against Keycloak server 26.4 or older
admin/client-java - #45307 UI Bug: WebAuthn passkey list is broken in keycloak v2 theme
login/ui
26.5.0
Highlights
This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:
-
Workflows to automate administrative tasks and process within a realm.
-
JWT Authorization Grants, our recommended alternative to external to internal token exchange.
-
Guide for using Keycloak as an authorization server for Model Context Protocol (MCP) servers.
-
Authenticating clients with Kubernetes service account tokens to avoid static client secrets.
-
OpenTelemetry support for metrics and logging, combining all observability information in this popular standard.
Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.
Security and Standards
JWT Authorization Grant (preview)
Keycloak 26.5 introduces a new feature called JWT Authorization Grant, which adds support for RFC 7523 to use external signed JWT assertions to request OAuth 2.0 access tokens.
To accept signed JWT assertions, a trust relationship must be established between the external provider and Keycloak. This trust relationship can be configured through an identity provider in a dedicated section of the OpenID Connect v1.0 identity provider, or through the new JWT Authorization Grant identity provider.
JWT Authorization Grant is recommended as an alternative to External to internal token exchange V1. This feature is in preview, and additional details are available in the dedicated documentation.
Using Keycloak as an authorization server for Model Context Protocol (MCP) servers
Using Keycloak as an authorization server for Model Context Protocol (MCP) servers is becoming popular, so this release ships additional documentation on how to do this.
See Integrating with Model Context Protocol (MCP) for the new guide.
Many thanks to Takashi Norimatsu for the contribution.
CORS enhancements
CORS (Cross Origin Resource Sharing) is a browser security feature that controls how web pages on one domain can request resources from a different domain.
For the OpenID Connect Dynamic Client Registration, you can now specify which CORS headers are allowed via the client registration access policies.
For the overall CORS configuration, you can now allow environment specific headers to be allowed using the SPI option spi-cors--default--allowed-headers.
Logout confirmation page
The client logout configuration now includes an option to show a logout confirmation page. When enabled, users will see a “You are logged out” confirmation page upon successful logout.
Many thanks to Sebastian Łaskawiec for the contribution.
Hiding OpenID Connect scopes from the discovery endpoint
Previously, all scopes of an OpenID Connect client were advertised in the discovery endpoint.
In some situation you might want to avoid it, as the calling client, for example, an MCP server might not support it, or you might want to hide some scopes for preventing their discovery via public APIs.
You can now prevent this by disabling Include in OpenID Provider Metadata.
Administration
Workflows (preview)
Keycloak introduces a new preview feature called Workflows, which allows administrators to automate administrative tasks and process within a realm, introducing a key capability for Identity Governance and Administration (IGA).
For more details, see the Server Administration Guide.
Federated client authentication (preview)
Federated client authentication remains preview due to receiving a number of enhancements and fixes.
There is now preview support to use Kubernetes service accounts tokens as credentials for clients, which avoids static secrets for OpenID Connect clients.
See Kubernetes identity providers in the Server Administration Guide for details.
Organization invitation management
Organization administrators can now manage organization invitations through both the Admin Console and REST API:
-
View all sent invitations with their current status (Pending, Expired)
-
Resend pending invitations to recipients
-
Delete invitation records from the system
-
Filter invitations by status for easier management
All invitations are now persistently stored in the database, providing better tracking and management capabilities.
The invitation management features are available in the Invitations tab when managing an organization in the Admin Console, and through the Organizations REST API endpoints under /admin/realms/{realm}/orgs/{orgId}/invitations.
New event USER_SESSION_DELETED
For each expired user session there is a new user event USER_SESSION_DELETED fired.
This event is published approximately 3-10 minutes after the session has expired depending on job scheduling and load on the system.
By default, this event is not persisted.
Configuring and Running
Containers for PowerPC 64-bit Little Endian architecture
The containers for both the Keycloak and its operator are not available as well for the PowerPC 64-bit Little Endian (ppc64le) architecture. This is in addition to the existing amd64 and arm64.
We expect this to allow users to optimize their usage of open hardware and power consumption.
Improved server response times
Authentication, user, and client sessions are now created on the respective Keycloak node and avoid extra remote calls to neighbors when reading or writing them to the embedded caches. When you have sticky sessions enabled in your loadbalancer, you will benefit from this feature automatically, and you should see reduced response times when authenticating users.
Expired user sessions are now deleted from the database in small batches, instead of issuing a delete statements that affects the whole table. This should allow for better response times when there are a lot of sessions in the table.
Enhanced HTTP performance (preview)
You can now enable a more efficient way to handle JSON data in the HTTP layer. This change increases throughput by ~5%, stabilizes response times, and reduces system resource usage.
In order to apply it, you need to explicitly enable the feature http-optimized-serializers.
|
Note
|
This feature is preview. We gather more feedback about potential issues in this discussion. We appreciate any feedback. |
For more details, see the Configuring Keycloak for production guide.
26.4.7
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #43156 [Docs] Warn users about printing headers in HTTP access logs
docs - #43643 Upgrade to Quarkus 3.27.1
dist/quarkus
Bugs
26.4.6
Highlights
This release adds filtering of LDAP referrals by default. This change enhances security and aligns with best practices for LDAP configurations.
If you can not upgrade to this release yet, we recommend disabling LDAP referrals in all LDAP providers in all of your realms.
For detailed upgrade instructions, review the upgrading guide.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #44478 CVE-2025-13467 Deserialization of untrusted data in ldap user federation
Bugs
- #43323 Sessions not removed when user is deleted
infinispan - #43738 UPDATE_EMAIL action invalidates old email
login/ui - #43754 Flaky test: org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest
ci - #43812 Admin console sends non-JSON payload with content-type: application/json
admin/ui - #44125 Double-encoding of query parameter values (e.g. acr_values) for version 26.4
identity-brokering - #44187 [Keycloak Docs CI] Broken links
docs - #44189 [jdbc-ping] SQLIntegrityConstraintViolationException: Duplicate entry
infinispan - #44229 Unexpected FORMAT_FAILURE error when using cache-config-file with feature-disabled=persistent-user-sessions
infinispan - #44269 Admin Client creates malformed paths for requests
admin/client-js - #44287 Caching of static theme resources in dev mode is disabled
core