github keycloak/keycloak 26.5.6
on GitHub

7 hours ago

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #45645 CVE-2026-1180 - Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri oidc
  • #45647 CVE-2026-1035 - Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition oidc
  • #45650 CVE-2025-14777 - Keycloak IDOR in realm client creating/deleting
  • #45653 CVE-2025-14082 keycloak-server: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure
  • #46719 CVE-2026-3121 - Keycloak: Privilege escalation via manage-clients permission
  • #46723 CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API core
  • #46922 CVE-2026-3911 Keycloak: Information disclosure of disabled user attributes via administrative endpoint user-profile
  • #47062 CVE-2026-2366 Authorization Bypass: Unprivileged tokens can enumerate user organization memberships organizations

Bugs

  • #45889 Federated user disabled when external DB unavailable, never re-enabled storage
  • #46239 AUTH_SESSION_ID cookie reuse causes cross-user session contamination on re-authentication authentication
  • #46296 UsersResource.search briefRepresentation started to return user attributes admin/api
  • #46379 Unexpected error when logging out with offline session and external IDP oidc
  • #46459 Operator-built DB config: targetServerType=primary not applied / connection validation not working after master-replica failover (26.5.0) operator
  • #46588 Partial LDAP sync duration does not follow the defined value in user federation ldap
  • #46605 26.5.4 startup regression with many realms: RealmCacheSession.prepareCachedRealm() scans master admin role composites per realm (O(N²)) core
  • #46656 Em-Hyphens in SPI options on cache configuration page docs
  • #46663 JGroups bind port configuration ignored when --cache-embedded-network-bind-port set infinispan
  • #46669 SPIFFE Client assertion throws a NullPointerException if no client is found token-exchange
  • #47079 Do not allow fetching organizations of a member if not a member of the current organization organizations
Check out latest releases or
releases around keycloak/keycloak 26.5.6

Don't miss a new keycloak release

NewReleases is sending notifications on new releases.

Get notifications