Keycloak 26.4.0 released

September 30 2025

To download the release go to Keycloak downloads.

Highlights

This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:

Passkeys for seamless, passwordless authentication of users.
Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
Simplified deployments across multiple availability zones to boost availability.
FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.

Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.

Security and Standards

Passkeys integration (supported)

Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to Authentication, Policies, Webauthn Passwordless Policy and switch Enable Passkeys to enabled.

For more information, see Passkeys.

FAPI 2 Final (supported)

Keycloak has support for the latest versions of FAPI 2 specifications. Specifications FAPI 2.0 Security Profile and FAPI 2.0 Message Signing are already promoted to Final and Keycloak supports them. Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.

Apart from some very minor polishing of existing policies, Keycloak has new client profiles (fapi-2-dpop-security-profile and fapi-2-dpop-message-signing) for the clients that use DPoP and are intended to be FAPI 2 compliant.

Thank you to Takashi Norimatsu for contributing this.

For more details, see the Securing applications Guides.

DPoP (supported)

Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was a preview feature since Keycloak 23. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:

Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.
All Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.
Possibility to require the dpop_jkt parameter in the OIDC authentication request.

Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions to the DPoP feature.

For more information, see the DPoP section in the documentation.

FIPS 140-2 mode now supports EdDSA

With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.

Listing supported OAuth standards on one page

A new guide lists all implemented OpenID Connect related specifications. Thank you to Takashi Norimatsu for contributing this.

Integration

Federated client authentication (preview)

Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider.

Automatic certificate management for SAML clients

The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client Settings tab, section Signature and Encryption, configure the Metadata descriptor URL option (the URL where the SP metadata information with the certificates is published) and activate Use metadata descriptor URL. The certificates will be automatically downloaded and cached in the public-key-storage SPI from that URL. This also allows for seamless rotation of certificates.

For more information, see Creating a SAML client in the Server Administration Guide.

Serving as an authorization server in MCP

MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.

To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.

The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Keycloak.

Administration

Update Email Workflow (supported)

Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.

For more information, see Update Email Workflow.

This feature is currently preview, and expected to become supported in 26.5.

Optional email domain for organizations

In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. Thank you to Alexis Rico for contributing this.

When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.

Hiding identity providers from the Account Console

You can now control which identity providers appear in the Account Console based on different options using the Show in Account console setting. You can choose to show only those linked with a user or hide them completely.

For more information, see General configuration.

Enforce recovery codes setup after setting up OTP

If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. Thank you to Niko Köbler for contributing this.

New conditional authenticator

The Conditional - credential is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the Passkeys feature. It is added by Keycloak to the default browser flow to skip 2FA in case a passkey was used to log in as the primary credential.

For more information about conditional flows, see Conditions in conditional flows.

Translations managed by Weblate

The Keycloak distribution now includes 35 community translations, with Kazakh, Azerbaijani and Slovenian added in this release. Community volunteers now maintain some of the translations in Weblate to keep them up to date.

If you want to volunteer to maintain an existing or a new translation via Weblate, you can find the necessary steps in the translation guidelines.

Configuring and Running

Enhancements for single-cluster and multi-cluster setups

This release renamed multi-site to multi-cluster. The updated documentation describes how Keycloak clusters can be optionally distributed across multiple availability-zones within a region for increased availability. The Keycloak Operator now deploys Keycloak across multiple availability zones within a Kubernetes cluster by default. Keycloak also detects split-brains within a cluster.

This change should provide better availability for users who are running Keycloak in Kubernetes clusters that span multiple availability zones.

Support for additional databases and versions

With this release, we added support for the following new database vendors:

EnterpriseDB (EDB) Advanced 17.6
Azure SQL Database and Azure SQL Managed Instance

Where the previous documentation stated only tested database version, it now states all the supported database versions as well.

Expose management interface via HTTP

Previous versions exposed the management endpoint only via HTTPS when the main interface was using HTTPS.

Set the new option http-management-scheme to http to have the management interface use HTTP rather than inheriting the HTTPS settings of the main interface. This allows monitoring those endpoints in environments where no TLS client is available.

Expose health endpoints on the main HTTP(S) port

With health-enabled set to true, you may set the http-management-health-enabled to false to indicate that health endpoints should be exposed on the main HTTP(s) port instead of the management port. When this option is false you should block unwanted external traffic to /health at your proxy.

This allows using the health endpoints in environments where the load balancer might need access to those ports to direct traffic to the correct nodes.

Specify a `tlsSecret` on the Keycloak CR `ingress` spec

To support basic TLS termination (edge) deployments by the operator, you may now set the Keycloak CR spec.ingress.tlsSecret field to a TLS Secret name in the namespace.

Additional datasources configuration (supported)

Some Keycloak use cases like User Federation might require connecting to additional databases. This was possible only through specifying unsupported raw Quarkus properties in previous Keycloak versions. In this release, there are now dedicated server options for additional datasources. This allows users to leverage additional databases in their extensions in a supported and user-friendly way.

Read more about it in the Configure multiple datasources guide.

Observability

Operator creates a ServiceMonitor automatically

The Operator now provisions a ServiceMonitor for the management endpoint if metrics are enabled and the monitoring.coreos.com/v1:ServiceMonitor Custom Resource Definition is present on the Kubernetes cluster. The specification of the ServiceMonitor takes into account the various management endpoint configurations, to ensure that metrics can be scraped without any additional configuration. If you do not want a ServiceMonitor to be created, you can disable this by setting spec.serviceMonitor.enabled: false. For more details, see the Operator Guide.

HTTP access logging of incoming HTTP requests

Keycloak supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring.

For more information, see Configuring logging.

Showing context information in log messages (preview)

You can now add context information via the mapped diagnostic context (MDC) to each log message like the realm or the client that initiated the request. This helps you to track down a warning or error message in the log to a specific caller or environment Thank you to Björn Eickvonder for contributing this.

For more details on this opt-in feature, see Configuring logging.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#19732 "linked-accounts" endpoint displays all Identity providers account/api
#40237 Add option "Requires short state parameter" to OIDC IDP authentication
#40696 Wrap deprecated passkeys authenticator behind the feature authentication/webauthn
#41316 Test suites config for the new test framework test-framework
#41357 Disable tests for specific databases and servers in test framework test-framework
#42313 Experimental SPIFFE identity provider
#42742 Supported EnterpriseDB Advanced 17
#42743 Supported Azure SQL

Enhancements

#10063 Display transport media for WebAuthn authenticators in Account console account/ui
#14644 External IDP tokens are not refreshed automatically for OAuth2 & OIDC IDPs when retrieving the external token identity-brokering
#17028 SAML: Adapter SP seamless certificate rotation saml
#19213 Allow enabling debug and verbose via environment variables dist/quarkus
#21816 Expose Keycloak config errors in the Keycloak CR status field operator
#22730 REST API returns different amount of users admin/api
#23972 Improve handling config options in scripts preventing re-augmentation
#25668 Remove duplication of MP config initialization dist/quarkus
#26277 DPoP: Allow to only DPoP-bind refresh tokens and still issue access tokens of type Bearer oidc
#26995 Bad performance when requesting events of a user
#27025 Move import/export validation to the Property Mappers dist/quarkus
#28846 Allow the target attribute on in the kcSanitize core

#29295 Exact match in users/count
#30095 High Availability guides should make distinction between single-site and multi-site deployments docs
#31285 Make domains for organisations optional
#32129 Automatically create external caches for MULTI_SITE deployments
#32569 Verify email when using UPDATE_EMAIL action without depending on realm wide setting
#33942 Make sure Keycloak endpoints have DPoP validation oidc
#34114 Operator: Support ConfigMaps for `Keycloak.spec.truststores`
#34206 Move to single approach for setting `Robots` specifications: prefer `X-Robots-Tag` header to `` tags core
#34244 Enable branding without code changes
#34777 [Operator] Use TLS secret for Ingress operator
#35441 Add FAPI 2.0 + DPoP security profile as default profile of client policies oidc
#36160 Default values for User attributes.
#36268 Configuration is not available outside of quarkus modules
#37363 Allow custom labels on Operator Ingress operator
#37600 Experimental support for authenticating clients with Kubernetes Service Accounts
#38126 Improve documentation for the HEALTHCHECK Dockerfile directive docs
#38897 Add WASM support to the MimeTypeUtil
#39293 [OID4VCI] Update credential format identifier of SD-JWT VCs from `vc+sd-jwt` to `dc+sd-jwt` oid4vc
#39299 Improve docs, and possibly defaults, around ldap pooling
#39342 Description for using too many threads / connections is incomplete core
#39658 OpenTelemetry Tracing: Visualize JGroups communication infinispan
#39812 Add filter to include/fill MDC with request specific data for json logging
#40061 Redundant null-checks. SAST
#40067 Always null field in KeySelectorUtilizingKeyNameHint. SAST
#40069 Possible dereference of Null
#40226 Review and update the documentation regarding the UPDATE EMAIL feature
#40227 Make UPDATE_EMAIL a supported feature
#40231 Improve javadoc for admin-client methods with injecting own resteasyClient admin/client-java
#40296 Update docs how to verify that a cluster has formed
#40377 Allow to expose IDP custom config values to Keycloak themes
#40388 Write documentation for additional datasources docs
#40406 Create ServiceMonitor via KC Operator
#40464 Improve extensibility of custom AccountConsole endpoint handling account/ui
#40481 Provide CLI Parameters for jgroups.* options infinispan
#40592 Upgrade to the Quarkus 3.24.2 version dist/quarkus
#40619 When editing protocol mappers, shows required properties admin/ui
#40629 Signs of fall-through behavior. SAST
#40630 Double check when working with multithreading. SAST
#40659 Possible Dereference of Null. SAST
#40660 Resources leak. SAST
#40677 Redundant null checks - operator new. SAST
#40683 Remove workaround for handling Syslog counting framing
#40687 Remove workaround for PostgreSQL and Liquibase
#40739 Avoid floating promises in UI code account/ui
#40761 Change naming for disabling additional datasource
#40792 Changing default passwordless webauthn policy to follow recommended values in the documentation authentication/webauthn
#40851 Upgrade to Infinispan 15.0.16.Final
#40855 External-internal token exchange independent from FGAP v1 token-exchange/federated
#40858 Check cluster is correctly formed in ClusteredKeycloakServer test-framework
#40874 Update code and documentation for import of a new realm
#40875 Improve memory footprint of single file realm import
#40923 Compliant with RFC8414, return server metadata at /.well-known/oauth-authorization-server/realms/{realm} core
#40926 More secure call of Facebook debug token token-exchange/federated
#40933 Allow configure encryption details for SAML clients saml
#40962 Update limitations of the preview feature rolling updates for patch releases infinispan
#40970 Run clustering compatibility tests on release/x.y branches
#41014 Operator auto update hash operator
#41022 Allow Features to declare that they support Rolling upgrades
#41034 Improve logging for client sessions load
#41045 Update email feature only enabled if the required action is enabled at the realm
#41074 Import client sessions into Infinispan concurrently for persistent sessions
#41119 FAPI 2.0 Security Profile Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions oidc
#41120 FAPI 2.0 Security Profile Final - Add FAPI 2.0 Final security profile as default profile of client policies oidc
#41121 FAPI 2.0 Security Profile Final - Documentation oidc
#41138 Implement CompatibilityMetadataProvider for Cache CLI args
#41151 Update Traditional Chinese locale to latest version
#41161 Require setting DB kind for additional datasources dist/quarkus
#41172 Upgrade to Quarkus 3.24.3
#41176 Document supported OIDC/OAuth2 standards oidc
#41186 Upgrade to Quarkus 3.25.0 dist/quarkus
#41192 Improve handling of datasource name specified in `persistence.xml` files dist/quarkus
#41208 MDC logging should contain the authentication session and user session ID
#41214 Document configuration changes that prevent rolling updates
#41219 Document spi-user-sessions--infinispan--use-batches
#41222 Provide DB SQL options support for additional datasources dist/quarkus
#41229 Remove obsolete code for the Liquibase LogHistoryService core
#41239 Migrate to zh-Hans / zh-Hant for simplified and traditional Chinese translations
#41246 Upgrade to Quarkus 3.24.4 dist/quarkus
#41257 Upgrade to Infinispan 15.0.18.Final infinispan
#41259 Passkeys support in IdpUsernamePasswordForm authentication/webauthn
#41283 Update ua-parser to 1.6.1
#41293 Remove obsolete Liquibase FK snapshot generator storage
#41297 Implement CompatibilityMetadataProvider for DB options
#41303 Allow for health check on main interface
#41312 FAPI 2.0 Message Signing Final - Add FAPI 2.0 Final message singning as default profile of client policies oidc
#41313 FAPI 2.0 Message Signing Final - Documentation oidc
#41328 Utilise table to display Features
#41335 Kerberos "Server Principal" value should automatically trim leading/trailing whitespace
#41352 Provide simple HTTP access logs dist/quarkus
#41354 Avoid OTP when logging in with passkey
#41374 Upgrade to Quarkus 3.24.5 dist/quarkus
#41405 Add log details about client assertion for client authentication with Client-JWT
#41455 Adds TiDB into the database test matrix
#41459 Query parameter "claims" not forwarded to external provider identity-brokering
#41551 Support for key size 3072 in rsa-generated key providers
#41556 Switch passkeys to supported authentication/webauthn
#41557 Update passkeys documentation after they are supported docs
#41558 Ensure cache configuration has correct number of owners
#41559 Simplify Cache Configuration file by removing built-in cache configurations
#41561 Detect and handle KC split brain clusters
#41585 Refactor high-availability guide to include both single and multi cluster architectures
#41613 Ability to display 'authenticator provider' of the WebAuthn credential authentication/webauthn
#41625 Login[v2]: "Update email" screen is not polished login/ui
#41666 Default to stretched clusters on Kubernetes when possible
#41670 Allow forwarding the `claims` parameter from the initial authorization request to brokered OPs
#41717 Upgrade to Quarkus 3.25.2 dist/quarkus
#41729 Define default topologySpreadConstraints
#41765 Add Azerbaijani translations translations
#41766 Add the ability to set abritrary environment variables in Keycloak CR
#41820 Add a warning about provider jars
#41831 Improve autocomplete on mobile for OTP field
#41836 Add config option to Configure OTP action to automatically add RecoveryCodes action upon OTP creation.
#41837 Remove OIDCLoginProtocolService.certsHead() oidc
#41870 Kazakh (kk) locale support with translations translations
#41898 Clarify the documentation on automatic database schema downgrades core
#41901 FGAP v2: RESET_PASSWORD capability for USERS
#41933 Configure topology information in Infinispan
#41934 Infinispan 15.0.19.Final
#41950 Log applied cache configurations as part of debug logs
#42016 More flexible handling of params, headers and entities for SimpleHTTP
#42030 Could the list of supported DPoP algorithms be dynamically retrieved? oidc
#42031 Minor enhancements in the DPoP related codebase oidc
#42032 Switch DPoP feature to supported oidc
#42047 Skip configuring `jdbc-ping` stack in local mode
#42094 keycloak oob (out-of-band) copy button login/ui
#42096 Concurrently update the remote caches
#42180 Cache UserAgent parsing result
#42186 Document network latency requirements for stretched clusters
#42191 Document mtls considerations for probes
#42203 Upgrade to Quarkus 3.27 LTS
#42269 Some 409 API responses are missing from the OpenAPI spec core
#42274 Session IDs and auth codes have less than 128 bits of entropy
#42283 More efficient secure ID generator
#42286 Support EdDSA for DPoP oidc
#42293 Set Liquibase DB type based on the `db` option storage
#42300 Validate wait_timeout parameter on MySQL and MariaDB
#42304 Document tested and supported configurations for single-cluster deployments
#42305 Document that single-cluster deployments expect all Keycloak instances to serve traffic
#42308 Support Aurora PostgreSQL 17.5 in Keycloak's nightly run
#42342 Upgrade to Quarkus 3.26.2 dist/quarkus
#42356 Support MariaDB 11.8 LTS
#42358 Remove usage of the term "stretched" from single-cluster HA guides
#42374 Concurrent update embedded caches and database
#42381 [RLM] - Validate actions that support aggregating actions
#42382 [RLM] - Immediate policies should not allow setting a time to their actions
#42384 [RLM] Allow adding and removing actions to existing policies
#42385 [RLM] Scheduled time of actions should be based on the previous action
#42389 [RLM] Review the available event names to makre more explicit the resource type and the operation they are related to
#42392 Link to quay IO website for the Keycloak image in upstream docs
#42409 Wrong form to enter username and password for an unknown user organizations
#42499 Follow-up: FAPI 2.0 Message Signing final version support - updating the link to the final spec oidc
#42525 Catch specific expeception and add logging when there is no active request context
#42532 Edit Keycloak 26.4 release notes
#42547 Replace UUID with composite key for client session cache infinispan
#42564 Edit Keycloak 26.4 Upgrading Guide
#42628 Lazy load client sessions
#42697 [RLM] - Improve the Workflow JSON schema
#42705 Document Caffeine cache metrics
#42728 DPoP: documentation update oidc
#42733 Test JDK 25 in CI ci
#42740 Possibility to enforce authorization code binding to DPoP oidc
#42746 Polishing of client switch on DPoP oidc
#42751 Allow EdDSA keys in the JWTClientCredentialsProvider to authenticate clients core
#42755 [OID4VCI] Filter supported_enc_algorithms to only include asymmetric algorithms oid4vc
#42756 Add missing Swedish translation for login theme
#42888 [RLM] - Allow defining steps in a workflow that can run immediate or scheduled
#42916 [RLM] - Dot not allow updates to workflow properties that impact the scheduled steps workflows
#42927 Update OID4VCI documentation with new .well-known URL format oid4vc
#42955 Use JDK 25 Temurin in GHA CI ci
#43017 OID4VCI in the release notes for 26.4.0 docs
#43035 Allow setting max age to the update email action

Bugs

#26972 NginxProxySslClientCertificateLookupFactory unable to work with custom trust stores core
#35825 Per client session idle time capped by realm level client idle timeout core
#35932 Importing a realm takes more than 1 minute when multiple others exist. dist/quarkus
#36716 invalid_request when authenticating using PAR (Pushed Authorization Request) while Kerberos is enabled authentication
#38016 User session limit exceeded for both realm and client removes the wrong session core
#38556 Consistent behaviour for User API getUsers and count admin/api
#38924 `--debug` does not work with docker container version of Keycloak core
#38928 Can't install Keycloak Operator on OpenShift via OperatorHub on ARM operator
#39079 AuthenticationFlowException when a user tries a password grant using a service account authentication
#39091 Flaky test: org.keycloak.testsuite.cluster.JGroupsCertificateRotationClusterTest#testCoordinatorHasScheduleTask ci
#39122 Export fails with an unexpected error if the realm does not exist core
#39608 Getting Keycloak exception with request 500 status code on /account with semicolon in URL dist/quarkus
#39609 Users searchAttributes broken for empty value admin/client-java
#39766 [Keycloak Operator CI] - Test local apiserver - Kube API Server did not start properly ci
#39854 Flaky test: org.keycloak.testsuite.cluster.PermissionTicketInvalidationClusterTest#crudWithFailover ci
#39864 IdP redirect fails when user belongs to multiple organizations with organization:* scope organizations
#40160 Action Tokens Copy Nonce Into JTI core
#40192 REST Admin API - ClientsResource response with 200 OK even needed roles are missing admin/api
#40368 NPE during loading user groups with concurrent deletion storage
#40374 Random but frequent duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\" errors authentication
#40383 KC should connect to a writer instance of PostgreSQL automatically dist/quarkus
#40398 ModelDuplicateException on next login after deleting an account and back-channel logout authentication
#40463 Login to Account Console produces two consecutive LOGIN events account/ui
#40557 Uploading JSON import in UI causes extreme lag or entirely unresponsive page since 26.1 admin/ui
#40680 Inconsistency between UserModel.isMemberOf and RoleUtils.isMember (with LDAP involved) authentication
#40713 Unable to configure TLS reloading in Keycloak version 26.2.0 or later account/api
#40754 UserSession Offline removed from DB if not in cache infinispan
#40782 Flaky test: org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover ci
#40784 Default jdbc-ping cluster setup for distributed caches fails in Oracle infinispan
#40786 Typo in Consent Scope Representation account/api
#40788 Custom scope display name not shown in Account UI account/ui
#40818 Identity provider links list is limited to 100 entries for a user in the admin UI admin/ui
#40838 Mark options for additional datasources as preview dist/quarkus
#40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow oidc
#40890 Keycloak Operator 26.3.0 fails to update to 26.3.0 operator
#40903 Proxy detection needs tweaked for insecure context warning dist/quarkus
#40930 Docs: server_development/topics/themes.adoc docs
#40932 [Operator] UpdateTest.testImageChange throws TimeoutException operator
#40935 NPE thrown when encoding a token without having a client set in the session oidc
#40945 Unclear documentation for setting management server as http when main server is https dist/quarkus
#40954 Keycloak 26.3.0 Regression: Failed to login if web-authn is disabled core
#40959 Update "Enabling and disabling features" documentation docs
#40975 Make passkeys feature dependent on web_authn authentication/webauthn
#40977 Loglevel recorded from build phase dist/quarkus
#40980 Can't update security-admin-console via admin UI with volatile sessions infinispan
#40984 Backchannel logout token with an unexpected signature algorithm key oidc
#40995 LDAP / ModelException: At least one condition should be provided to OR query core
#40997 Wildcard mappers should be implicitly handled and value propagated dist/quarkus
#41008 Missing signin with passkeys feature when FORCED_REAUTHENTICATION = true authentication/webauthn
#41018 Flaky test: org.keycloak.testsuite.cluster.ClientInvalidationClusterTest#crudWithFailover ci
#41023 Can't send e-mails to international e-mail addresses: bad UTF-8 syntax core
#41029 DOC: 'Running Keycloak in a Container' inconsistent docs
#41035 Skip update email required action if email attribute is not writable
#41037 WebAuthN Setup: OperationError: A request is already pending. authentication/webauthn
#41038 FIPS errors in CI
#41041 Able to create a client without entering Client ID admin/ui
#41044 Federated users incorrectly listed on first load due to uninitialized userProfileProvidersEnabled admin/ui
#41080 Permission evaluatio for resource type Clients broken admin/fine-grained-permissions
#41082 Multiple primary key defined when attempting to upgrade after 26.3.0 core
#41098 Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token core
#41103 Service Account users now showing in the User List admin/ui
#41105 Unknown relation when removing realm role with --db-schema configured storage
#41117 NUL byte characters are sent from query parameters to the database causing SQL exception core
#41140 Blank Tab in Client Registration Access Policies admin/ui
#41148 org.keycloak.authentication.forms.RegistrationPassword#validate -> java.lang.UnsupportedOperationException authentication
#41152 Docs use em-dashes instead of double dashes for SPI options in regular text docs
#41170 'exp' and 'iat' missing from claims_supported entry in OpenID Endpoint Configuration oidc
#41181 FAPI 2.0 Message Singing Final - PAR endpoind does not return an appropriate error regarding a request object oidc
#41184 CVE-2025-48924 - Uncontrolled Recursion vulnerability in Apache Commons Lang
#41188 UserResources.addFederatedIdentity is missing OpenApi @Consumes annotation admin/api
#41204 UpdateTest CI failures ci
#41228 [quarkus-next] Migration tests failed for MySQL-based DB drivers dist/quarkus
#41235 Group imports performance import-export
#41242 Re-authentication with passkeys not easily possible authentication/webauthn
#41268 `--optimized` flag and providers jar are incompatible when used with tools changing `last-modify-date` dist/quarkus
#41287 Failing test in account console account/ui
#41289 Account test failing account/ui
#41290 Concurrent starts with JDBC_PING lead to a split cluster infinispan
#41295 Avoid additional execution of Liquibase changelog lock table statement storage
#41299 [quarkus-next] Missing comment generated by Liquibase executor in the custom script storage
#41331 Prevent sending massive amount of emails if a user clicks multiple times to get a new verify email link core
#41339 Add and delete bundle test failing admin/ui
#41388 Welcome page creates an temporary user core
#41390 JDBC_PING2 doesn't merge split clusters after a while infinispan
#41418 Access to user details for restricted admin fails after enabling organizationin realm organizations
#41421 Broken link securing-cache-communication in caching docs docs
#41423 Duplicate IDs in generated all configuration docs docs
#41427 Parallel token exchange fails if client session is expired token-exchange
#41466 [quarkus-next] @QuarkusTest fetches JARs again when executed dist/quarkus
#41468 [quarkus-next] [windows] ClassNotFoundException: JvmOptionsBuilder dist/quarkus
#41469 Uncaught exception cases unclosed spans in tracing dist/quarkus
#41474 File choosing tests fail on Windows admin/ui
#41488 Synchronize Maven surefire plugin with Quarkus dist/quarkus
#41491 ExternalLinks are broken in documentation docs
#41520 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and KERBEROS_PRINCIPAL was null on creation ldap
#41532 LDAP Sync all users takes unexpectedly long in 26.3 (> 30 min) ldap
#41537 Getting error 405 "Method Not Allowed" when calling the "certs" endpoint with HEAD method oidc
#41598 Kerberos playwright test flaky admin/ui
#41609 RejectImplicitGrantExecutor does not return an error when a PAR request includes Implicit or Hybrid response type oidc
#41620 Typos and AsciiDoc formatting in token exchange docs
#41624 Duplicate fields in RealmRepresentation in OpenAPI JSON file docs
#41641 Cannot use `dev-file` for additional datasources storage
#41643 Test SMTP connection fails when no port is specified admin/api
#41648 Flaky user profile test admin/ui
#41653 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerWellKnownProviderTest#testMetaDataEndpointIsCorrectlySetup ci
#41662 TiDB Many WAITING threads during high load scenario core
#41663 Typo in the caching doc docs
#41669 Keycloak SAML Adapter subsystem does not work in WildFly 37 adapter/saml
#41677 Provider default regression dist/quarkus
#41683 SAML test is flaky admin/ui
#41701 The same text shows up twice on the e-mail validity confirmation screen account/ui
#41711 Another flaky SAML test admin/ui
#41728 Node.js v22.18.0 causes JavaScript CI to fail
#41744 Weblate does not show zh_hant for the admin UI translations
#41752 Flaky Organization test admin/ui
#41755 Forwarded `claims` parameter from the initial authorization request to brokered OPs is not URL encoded identity-brokering
#41792 docs: Non interactive logout options missing documentation oidc
#41799 Authorization filtering causes NullPointerException with "Null keys are not supported!" in searchForUserStream (26.3.1+) account/api
#41801 Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen) core
#41804 OIDC identity provider token refresh fails with JsonMapperException identity-brokering
#41808 CVE-2025-7962 In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages core
#41821 Fix Jandex version collision to allow running tests using auth-server-quarkus-embedded testsuite
#41823 Test flaky due to dual certificates admin/ui
#41834 Clicking email confirmation links in Outlook results in a "stale link" error core
#41842 memberOf attribute empty or values with a DN that does not match the role base DN fetches all roles ldap
#41854 KeycloakSession javadoc references keycloak-server.json core
#41860 Unbalanced HTML in login form templates login/ui
#41897 Hibernate 7.1 breaks TiDB support ci
#41903 [Operator CI] - Test local apiserver - Could not load class with name KeycloakDistConfiguratorTest ci
#41906 Backwards incompatible changes to 26.3.0 cause NullPointerException when requesting /certificates/jwt.credential/generate-and-download authentication
#41909 Admin console provider info shows "Add providers" admin/ui
#41913 [Store IT] - UserSessionRefreshTimePolicyTest unstable ci
#41914 Role mapping `account.manage-account-links` not sufficient for Client initiated account linking authentication
#41937 Display name for requireAction.idp_link, requireAction.delete_credential and requireAction.update_user_locale not mapping correctly admin/ui
#41942 Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider) core
#41945 After upgrade to 26.3: Not possible to use Credentials having not-unique label login/ui
#41994 Check for non-ascii local part on emails depending on SMTP configuration core
#42006 Fix flaky tests for personal info in account console account/ui
#42012 Client session timestamp not updated in the database if running multiple nodes infinispan
#42018 Realm overrides test is flaky admin/ui
#42033 [RLM] NPE during user authentication core
#42044 Dynamic client authentication configuration uses wrong config admin/ui
#42046 KeycloakRealmImport placeholder replacement provides access to sensitive environment variables. operator
#42050 Recovery Codes are shown as "another way" even if not configured login/ui
#42052 User Profile attribute annotation "inputType" yields in not savable attribute user-profile
#42057 [Operator] Update job incorrectly inherits podTemplate configuration from unsupported.podTemplate operator
#42069 Fix common failures when running the admin console tests on Firefox
#42114 "Session/EntityManager is closed" during application startup "singleFile" users import testsuite
#42139 Backwards compatibility awareness identity-brokering
#42142 Dedicated client scope mappers missing oidc
#42158 Bug in configuration keycoak via keycloak.conf dist/quarkus
#42159 Docs: authorization_services/topics/permission-typed-resource-permission.adoc authorization-services
#42164 [Keycloak CI - Docs] Broken links core
#42165 [Keycloak CI - Admin UI, Account UI, Account E2E UI] Installing PNMP Error ci
#42178 Integer validation error not shown for user profile fields user-profile
#42182 Validation errors for required actions don't show translated messages admin/ui
#42201 Local access required if KC_BOOTSTRAP_ADMIN_CLIENT_ID is set but not KC_BOOTSTRAP_ADMIN_USERNAME login/ui
#42208 Audience mapper not honored when requesting organization scope authentication
#42213 Importing SAML IdP metadata sets Validate Signatures to false even if signing certificate is provided saml
#42263 Quarkus config (quarkus.properties) not picked up after 26.3.0 dist/quarkus
#42270 Missing double-dash in the events documentation core
#42276 Admin UI hides local users when LDAP provider fails (generic error shown; forces workaround) admin/ui
#42278 Flaky test: org.keycloak.testsuite.model.session.UserSessionConcurrencyTest#testConcurrentNotesChange ci
#42334 Experimental features enabled warning shown multiple times dist/quarkus
#42335 Colored output is lost during startup dist/quarkus
#42339 Allowed Client Scopes add openid scope in scope list oidc
#42360 LDAP mapper test is flaky admin/ui
#42369 Missing client session offline settings on realm level in the admin UI admin/ui
#42375 Client to be included cannot be configured for the OID4VCITargetRoleMapper anymore oid4vc
#42390 OIDC fails if doens't have email mapper if a LDAP exists ldap
#42403 ui-shared: Accessibility of Switch control admin/ui
#42405 Old hmac-generated (32bit) is recreated when order is changed in realm keys ui core
#42408 Organization without email domain shows an error when trying to link an Identity Provider organizations
#42419 Client authenticators executed multiple times oidc
#42426 Guides contain broken ha links docs
#42496 Compilation error in RolePolicyConditionProvider core
#42575 Locale selector displays incorrect label for Chinese translations
#42650 Failing device-activitiy test in account-ui tests oidc
#42652 NullPointerException when persisting a client session infinispan
#42678 Operator ClusterRoleBinding contains hardcoded namespace operator
#42706 Incorrect scheme in the WWW-Authenticate when Authorization: DPoP used oidc
#42716 The core class EdECUtilsImpl is not present in the sources jar core
#42726 Update of sssd should add IFP section to the configuration core
#42736 Reset password in admin UI with 'not recently used' password policy leads to error 'Device already exists with the same name' core
#42737 The new email is mandatory error for update profile action with enabled update email user-profile
#42752 Keycloak build broken ci
#42765 Can't log in to admin and account console due to Web Crypto API not being available account/ui
#42769 Missing switch "ID Token as detached signature" in the admin console client settings oidc
#42770 Introduce pending email verification message for UPDATE_EMAIL core
#42786 Inconsistent spelling auth WebAuthn core
#42792 IDX_EVENT_ENTITY_USER_ID_TYPE missing column EVENT_TIME core
#42828 Remove environment information from the server-info admin/api
#42833 Add validation of workflow steps also when adding single step to workflow workflows
#42837 Identify-First form should disallow empty entry organizations
#42856 Broken external link in documentation for npm.js.com docs
#42867 LOGIN event without a user session oidc
#42877 Valid scope parameter in access token request is rejected with invalid_scope error oidc
#42887 SPIFFE IdP added to login screen when created via browser identity-brokering
#42918 Typo in the latest documentation docs
#42922 Dynamic Client Registration invalidates the realm cache core
#42949 Username containing a '#' is truncated in Admin Console when hiding inherited roles user-profile
#42958 Upgrade bc-fips dependencies dependencies
#43002 Delete workflow has wrong messages. admin/ui