Keycloak 26.3.5 released

September 25 2025

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #41371 Upgrade to Quarkus 3.20.3 LTS dist/quarkus
• #41373 Remove explicit MariaDB connector dependency dist/quarkus

Bugs

• #41418 Access to user details for restricted admin fails after enabling organizationin realm organizations
• #42405 Old hmac-generated (32bit) is recreated when order is changed in realm keys ui core
• #42491 CVE-2025-58057 - Netty BrotliDecoder / Data Amplification vulnerability dist/quarkus
• #42492 CVE-2025-58056 - Netty HTTP Request Smuggling vulnerability dist/quarkus
• #42736 Reset password in admin UI with 'not recently used' password policy leads to error 'Device already exists with the same name' core
• #42769 Missing switch "ID Token as detached signature" in the admin console client settings oidc
• #42922 Dynamic Client Registration invalidates the realm cache core