keycloak

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #381 [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration / #YWH-PGM40475-168 authorization-services
• #392 [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access) / #YWH-PGM40475-113 authorization-services
• #407 [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission #YWH-PGM40475-171 admin/rbac
• #427 [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens / #YWH-PGM40475-220 oidc
• #453 [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account authentication/webauthn
• #531 [CVE-2026-7507] [Vulnerability Report] Session fixation in OIDC login flow leading to account takeover authentication
• #573 [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data oidc
• #578 [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak oidc
• #594 [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint saml
• #685 [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint
• #47485 CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service
• #47486 CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing
• #47932 [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters authorization-services
• #48049 [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler organizations
• #48275 CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules core
• #48388 [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration authentication/webauthn
• #48570 [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs core
• #49108 [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint
• #49109 [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak
• #49110 [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data
• #49111 [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover
• #49112 [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account
• #49113 [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens
• #49114 [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission
• #49115 [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access)
• #49116 [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration

Enhancements

• #47728 Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide
• #47734 Add dedicated "Monitoring Standbys" section to the general installation documentation
• #48329 JDBC_PING in 26.6 should not fail with 26.7 schema changes
• #48348 Escape expressions in JS blocks in FTL pages
• #48687 Upgrade to Quarkus 3.33.1.1

Bugs

• #38526 Duplicate user attribute values cannot be removed core
• #40602 Account UI reports "Something went wrong" when opening an unknown path account/ui
• #47882 Broken link in deploy-cnpg docs
• #47901 Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled admin/fine-grained-permissions
• #47915 FreeMarker templates allow instantiation of new objects and even running OS commands login/ui
• #47987 FGAP v2 Specific Group permission has no scopes found in resource admin/fine-grained-permissions
• #48030 Update to operator version 26.6.0 needs deletion of all objects operator
• #48040 User session limit generates fatal error authentication
• #48094 Wrong referenced resource type in Workflow handling for clients core
• #48123 Clarify canonicalization in X.509 authentication authentication
• #48143 Ordering of permission and policy calls leads to exposure of a client ID admin/api
• #48185 Deleted workflow still attempting to run workflows
• #48241 JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title authentication
• #48259 Kubernetes identity providers docs still mention it to be a preview feature docs
• #48313 No escape approach for JS code inside the front channel logout FTL login/ui
• #48536 Review migration guide for rolling updates changes workflows
• #48629 WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout ci