github keycloak/keycloak 26.6.4
on GitHub

7 hours ago

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

  • #50344 CVE-2026-9099 Keycloak: group-admin escalation to realm-admin
  • #50345 CVE-2026-9083 Keycloak: keycloak: information disclosure through arbitrary filesystem path probing
  • #50347 CVE-2026-9086 Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass
  • #50349 CVE-2026-9705 Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token
  • #50350 CVE-2026-9795 Keycloak: keycloak: privilege escalation via improper scope mapping enforcement
  • #50351 CVE-2026-9799 Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass
  • #50352 CVE-2026-9800 Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison
  • #50357 CVE-2026-11800 Keycloak: Authentication bypass via JWT algorithm confusion

Enhancements

  • #50100 Upgrade to Quarkus 3.33.2.1

Bugs

  • #47999 [Keycloak JavaScript CI] - Build Keycloak ci
  • #49639 Keycloak Admin Client tests fails in CI ci
  • #49700 Incorrect migration guide reference docs
  • #49707 Cannot build project due to ISPN protoschema and 26.2 branch infinispan
  • #49733 keycloak-api-docs-dist is not deployable dist/quarkus
Check out latest releases or
releases around keycloak/keycloak 26.6.4

Don't miss a new keycloak release

NewReleases is sending notifications on new releases.

Get notifications