Keycloak 26.2.5 released

May 28 2025

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #39469 Fix Securing Apps links to adapters docs
• #39486 Email server credentials can be harvested through host/port manipulation admin/api
• #39541 Fix doc link to FGAP v1 docs
• #39543 Apply edits to Operators Guide docs
• #39572 Edit Observability Guide docs
• #39590 Fix callouts in Operator guide docs
• #39638 Sessions from Infinispan should be mapped lazily for the Admin UI
• #39651 Speed up Infinispan list of all sessions be more eagerly remove old client sessions
• #39665 When logging in, all client sessions are loaded which is slow oidc

Bugs

• #39130 Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc
• #39157 [quarkus-next] TestEngine with ID 'junit-jupiter' failed to discover tests dist/quarkus
• #39264 [OID4VCI] Documentation Errors docs
• #39358 Aggregated policy: Cannot select policies that do not appear in the drop-down list admin/ui
• #39450 quarkus runtime options are treated as buildtime options dist/quarkus
• #39496 [26.2.3/26.1.5] Regression: empty ClientList in UI for Custom UserStorageProvider admin/ui
• #39499 UI does not show user's attributes after reentering the Attributes TAB admin/ui
• #39502 Refreshed tokens are not persisted for IDP token exchange token-exchange
• #39509 UI does not show organization's attributes after reentering the Attributes TAB account/ui
• #39538 Autocomplete in Mapper type of user federation broken admin/ui
• #39540 Forms IT tests breaks with Chrome 136.0.7103.59 ci
• #39612 Unable to change the OTP hash algorithm admin/ui
• #39614 Keycloak not using custom Infinispan config infinispan
• #39663 Duplicate validation message “Please specify username.” shown on login form login/ui
• #39693 Clicking on the jump links removes the localization of the UI admin/ui
• #39697 Authorization documentation shows the wrong view authorization-services
• #39710 Recreate update is not scaling down the statefulset to zero operator
• #39724 Hibernate LazyInitializationException when deleting client with CompositeRoles core
• #39753 POST realm API returns 400 on conflict instead of 409 in version 26.2.4 admin/api
• #39798 Documentation has outdated link to the "latest" branch of quickstarts docs
• #39800 [KEYCLOAK CI] - AuroraDB IT - Create EC2 runner instance ci