Skip to content

Release history

keycloak releases

Open Source Identity and Access Management For Modern Applications and Services

Back to tool Latest release

All releases

11 shown

Upgrade now
26.6.2 Breaking risk
Auth RBAC Crypto / TLS +1 more

CVE fixes

Open
26.6.1 Breaking risk
Breaking changes
  • MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication
Security fixes
  • CVE-2026-4366: Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling
  • CVE-2026-4633: Keycloak user enumeration via identity-first login
Notable features
  • Database data at rest encryption
  • CloudNativePG updated to 1.29
View release on GitHub
26.6.0

Based on the provided changelog, here is a summary of the key changes, categorized by their impact: ### 🚀 Key Improvements & Features * **New Capabilities:** Added support for-related features such as managing credentials/secrets via LDAP and potential new automation for developers. * **Performance & Efficiency:** * Significant optimizations for resource management, including smarter handling of JDBC connections and reduced thread consumption. * Improved database connection mana

View release on GitHub
26.5.7 Security relevant
Security fixes
  • CVE-2025-14083 Improper Access Control in Admin REST API leads to information disclosure
  • CVE-2026-1002 Static handler component cache manipulation enables denial of static file access
  • CVE-2026-3429 Improper Access Control for Level of Assurance during credential deletion
View release on GitHub
26.5.6 Security relevant
Security fixes
  • CVE-2026-1180 - Blind SSRF in OIDC Dynamic Client Registration via jwks_uri
  • CVE-2026-1035 - Refresh Token Reuse Bypass via TOCTOU Race Condition
  • CVE-2025-14777 - IDOR in realm client creating/deleting
View release on GitHub
26.5.5 Security relevant
Security fixes
  • CVE-2026-3047 - SAML broker authentication bypass due to disabled SAML client completing IdP-initiated login
  • CVE-2026-3009 - Improper Enforcement of Disabled Identity Provider in IdentityBrokerService
  • CVE-2026-2603 - Disabled SAML IdP still allows IdP-initiated broker login
View release on GitHub
26.5.4 Security relevant
Security fixes
  • CVE-2026-1190 - SAML brokering response delay due to unchecked NotOnOrAfter
  • CVE-2026-0707 - Authorization Header Parsing leading to potential security control bypass
  • CVE-2025-5416 - Environment Information disclosure
Notable features
  • New key affinity for session ids
View release on GitHub
26.5.3 Security relevant
Security fixes
  • CVE-2026-1609 - Disabled users can still obtain tokens via JWT Authorization Grant
  • CVE-2026-1529 - Forged invitation JWT enables cross-organization self-registration
  • CVE-2026-1486 - Logic Bypass in JWT Authorization Grant allows authentication via disabled IdP
View release on GitHub
26.5.2 Security relevant
Security fixes
  • CVE-2025-67735 netty-codec-http: Request Smuggling via CRLF Injection
  • CVE-2025-66560 io.quarkus/quarkus-rest: Quarkus REST Worker Thread Exhaustion Vulnerability
  • CVE-2025-14559 keycloak-services: Unauthorized token issuance for disabled users
View release on GitHub
26.5.1 Bug fix
Notable features
  • Performance improvement with BROKER_LINK table indexes
  • Realm management without requiring global admin role
  • x-robots HTTP header for static resources
View release on GitHub
26.5.0 New feature
Notable features
  • Workflows for automating administrative tasks
  • JWT Authorization Grants (RFC 7523)
  • OpenTelemetry support for metrics and logging
View release on GitHub

Beta — feedback welcome: [email protected]