Keycloak 26.4.1 released

October 16 2025

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

• #43020 Secure Client-Initiated Renegotiation - disable by default dist/quarkus

Enhancements

• #42990 Hide read-only email attribute in update profile context with update email enabled user-profile
• #43357 JDBC_PING should publish its physical address on startup

Bugs

• #40965 Group permission denies to view user admin/fine-grained-permissions
• #41292 openid-connect flow is missing response type on language change authentication
• #42565 Standard Token Exchange: chain of exchanges eventually fails token-exchange
• #42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+) admin/ui
• #42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion authorization-services
• #43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types core
• #43070 Update email page with pending verification email messages prefilled with old email user-profile
• #43096 keycloak-operator 26.4.0 missing clusterrole permissions docs
• #43104 Release notes fix for update email docs
• #43161 Restarting an user session broken for persistent sessions infinispan
• #43164 Keycloak docs state that only TLSv1.3 is used docs
• #43218 Cannot revoke access token generated by Standard Token Exchange oidc
• #43254 Make sure username and email attributes are lower cased when fetching their values from LDAP object ldap
• #43269 Keycloak 26.4 returns a different error response on a token request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does oidc
• #43270 Keycloak 26.4 returns a different error response on a CIBA backchannel authentication request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does oidc
• #43286 Broken links on DB server configuration guide docs
• #43304 SAML Client - Encrypt assertions toggle shows wrong dialog text (Client signature required) saml
• #43328 "Remember me" user sessions remain valid after "remember me" realm setting is disabled authentication
• #43335 First JDBC_PING initialization happens in the JTA transaction context infinispan
• #43349 Client session may be lost during session restart infinispan
• #43394 SPIFFE client authentication does not work when JWT SVID includes `iss` claim
• #43459 Invalid YAML in advanced Operator configurations docs