Keycloak 26.3.3 released

August 20 2025

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #41558 Ensure cache configuration has correct number of owners
• #41934 Infinispan 15.0.19.Final
• #41963 Upgrade to Quarkus 3.20.2.1 dist/quarkus

Bugs

• #39562 Breaking template change: Unknown `locale` input field added to user-profile registration page user-profile
• #40984 Backchannel logout token with an unexpected signature algorithm key oidc
• #41023 Can't send e-mails to international e-mail addresses: bad UTF-8 syntax core
• #41098 Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token core
• #41268 `--optimized` flag and providers jar are incompatible when used with tools changing `last-modify-date` dist/quarkus
• #41290 Concurrent starts with JDBC_PING lead to a split cluster infinispan
• #41390 JDBC_PING2 doesn't merge split clusters after a while infinispan
• #41421 Broken link securing-cache-communication in caching docs docs
• #41423 Duplicate IDs in generated all configuration docs docs
• #41469 Uncaught exception cases unclosed spans in tracing dist/quarkus
• #41488 Synchronize Maven surefire plugin with Quarkus dist/quarkus
• #41491 ExternalLinks are broken in documentation docs
• #41520 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and KERBEROS_PRINCIPAL was null on creation ldap
• #41532 LDAP Sync all users takes unexpectedly long in 26.3 (> 30 min) ldap
• #41537 Getting error 405 "Method Not Allowed" when calling the "certs" endpoint with HEAD method oidc
• #41643 Test SMTP connection fails when no port is specified admin/api
• #41663 Typo in the caching doc docs
• #41677 Provider default regression dist/quarkus
• #41808 CVE-2025-7962 In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages core
• #41842 memberOf attribute empty or values with a DN that does not match the role base DN fetches all roles ldap
• #41906 Backwards incompatible changes to 26.3.0 cause NullPoointerException when requesting /certificates/jwt.credential/generate-and-download authentication
• #41945 After upgrade to 26.3: Not possible to use Credentials having not-unique label login/ui