Keycloak 26.6.3 Security and Bug Fix Release

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #47707 CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names account/ui
• #47935 [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation oidc
• #48036 [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint authorization-services
• #48709 [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled account/api
• #48805 CVE-2026-42581 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
• #49118 [CVE-2026-8922] OIDC token introspection ignores realm-level notBefore when client-level notBefore is set oidc
• #49133 [CVE-2026-8830] Missing server-side WebAuthn validations during credential registration authentication/webauthn
• #49174 [CVE-2026-9088] Group Members Endpoint Bypasses User Profile Permissions admin/fine-grained-permissions
• #49175 [CVE-2026-9087] Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login identity-brokering
• #49426 [CVE-2026-9802] Server restart resets startupTime, allowing reuse of rotated refresh tokens when revokeRefreshToken=true oidc
• #49428 [CVE-2026-9794] SAML ECP faultstring discloses client existence and configuration state saml
• #49431 [CVE-2026-9791] Organization data exposed in tokens and account API when Organizations feature is disabled at realm level organizations
• #49433 [CVE-2026-0707] ClientRegistrationAuth DoS via malformed Authorization header (CVE-2026-0707 incomplete fix) admin/api
• #49434 [CVE-2026-9801] DoS in LDAP federation via malformed PasswordPolicyControl ldap
• #49435 [CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange oidc
• #49436 [CVE-2026-9792] ROPC grant bypass in client policy enforcement oidc

Weaknesses

• #48978 UNSAFE_PATH_PATTERN regex to cover percent-encoded terminators and control characters oidc
• #48986 Authorization Services: NullPointerException in UMA permission grant when stale permission ticket references removed scope authorization-services
• #48987 Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting authorization-services
• #49086 Account resource sharing resolves recipient by username before email, granting access to wrong user authorization-services

Enhancements

• #48311 Upgrade to Quarkus 3.33.2 dist/quarkus
• #48695 Add startup check for missing database indexes
• #49148 Add SPI option to disable FD_SOCK2 failure detection
• #49526 Update to simple-git 3.36.0
• #49530 Update to uuid >=13.0.1

Bugs

• #45957 Handling of CORS requests in the Admin UI ineffective / open for CSRF admin/ui
• #47036 Account ResourceService user endpoint returns excessive user data in UMA-enabled realms core
• #48324 UMA IS_ADMIN filter breaks ticket finding authorization-services
• #48430 Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname oidc
• #48432 ClientAdapter using wrong value for isFrontChannelLogout oidc
• #48438 Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted core
• #48455 ContextNotActiveException during error handling core
• #48464 Incomplete SCIM schema definition for objects scim
• #48529 Broken downstream docs formatting on Kubernetes topic docs
• #48584 Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation core
• #48628 Client registerNode and unregisterNode endpoints fail authenticating the client core
• #48681 ExternalLinksTest: oasis-open.org/standard/saml/ returns 403 in CI causing flaky documentation check ci
• #48716 Missing index IDX_IDP_FOR_LOGIN and IDX_CLIENT_ATT_BY_NAME_VALUE for Microsoft SQL Server core
• #48744 Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication authentication
• #48792 Virtual Thread checking is not working infinispan
• #48806 NPE when accessing Account UI and the ACCOUNT feature is disabled account/api
• #48877 Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset ldap
• #48904 Consistent 500 on DELETE of realms via non-browser clients calling REST API admin/api
• #49058 Keycloak fails to run tests with embedded undertow dist/quarkus
• #49140 Workflows documentation: offboarding example is incorrectly enclosing the list of revoked roles with double quotes workflows
• #49149 Disable single thread sender in JGroups infinispan
• #49151 FIPS jobs fail in CI because java-25-openjdk-devel package is missing testsuite
• #49163 Enable JGroups message stats infinispan
• #49194 Use Java 25 again for FIPS jobs testsuite
• #49222 Incorrect link to Themes documentation docs
• #49224 Broken links in UI Customization Guide docs
• #49263 Use the PostgreSQL driver privacy option `logServerErrorDetail` dist/quarkus
• #49265 Since Hibernate 7, the workaround to not log-and-throw Hibernate errors does not longer work dist/quarkus
• #49274 JavaScript CI hangs when installing playwright testsuite
• #49288 Link issue in the documentation for https://www.rfc-editor.org/rfc/rfc7662 docs
• #49356 SAML async processing leaves a dangling threadlocal transaction dist/quarkus
• #49611 Realm extensions require Bearer or Drop authorisation admin/api