Keycloak 26.4.4 released

November 07 2025

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #10388 Allow to hide client scopes from scopes_supported in discovery endpoint
• #43076 Add rate limiter for sending verification emails in context of update email
• #43509 Role authorization for workflows. admin/api

Bugs

• #41270 Cannot save new attribute group admin/ui
• #41271 Changing user profile attribute results in an error everytime admin/ui
• #43082 ExternalLinksTest is broken due to missing path parameters docs
• #43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login login/ui
• #43160 Regression in DEBUG_PORT handling since 26.4.0 – host binding (*:port / 0.0.0.0:port) no longer works dist/quarkus
• #43460 FGAP/UI: `reset-password` succeeds but UI shows 403 without Users:manage admin/fine-grained-permissions
• #43505 DPoP proof replay check doesn't consider clock skew oidc
• #43516 Deleting Client is slow and fails when a lot of client sessions exist core
• #43578 "admin" client role now requires server admin user admin/api
• #43579 403 Forbidden when assigning realm-management client roles with realm-admin despite FGAP disabled (regression in 26.4.0+) admin/fine-grained-permissions
• #43596 FGAP: user can no longer open account management page, broken by `reset-password` admin/fine-grained-permissions
• #43621 Version 26.4.1 breaks existing ldap users with capital letters in username ldap
• #43682 When syncing roles, the database layer can see deadlocks
• #43698 Role Mapper is updating the user every time on login identity-brokering
• #43723 Only add the none verifier when attestation conveyance preference is none (or default) authentication/webauthn
• #43734 Refresh token allowed for offline session even the related scope is removed
• #43736 FGAP V2: reset-password scope error when viewing users with Group permissions only core
• #43744 Increased memory usage due to leaking KeycloakSession instances admin/api
• #43759 QuarkusKeycloakSession not garbage collected when running Liquibase dist/quarkus
• #43761 QuarkusKeycloakSession kept in memory for each timer core
• #43763 Normalizing of Keycloak URLs not documented dist/quarkus
• #43774 Under OLMv1 service monitor check uses wrong namespace operator
• #43785 QuarkusKeycloakSession leak in DeclarativeUserProfileProvider user-profile
• #43853 Ensure the logout endpoint removes the authentication session oidc
• #43863 JS CI failing after normalization testsuite