Keycloak 26.4.6 released
November 25 2025
To download the release go to Keycloak downloads.
Highlights
This release adds filtering of LDAP referrals by default.
This change enhances security and aligns with best practices for LDAP configurations.
If you can not upgrade to this release yet, we recommend disabling LDAP referrals in all LDAP providers in all of your realms.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #44478 CVE-2025-13467 Deserialization of untrusted data in ldap user federation
Bugs
- #43323 Sessions not removed when user is deleted infinispan
- #43738 UPDATE_EMAIL action invalidates old email login/ui
- #43754 Flaky test: org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest ci
- #43812 Admin console sends non-JSON payload with content-type: application/json admin/ui
- #44125 Double-encoding of query parameter values (e.g. acr_values) for version 26.4 identity-brokering
- #44187 [Keycloak Docs CI] Broken links docs
- #44189 [jdbc-ping] SQLIntegrityConstraintViolationException: Duplicate entry infinispan
- #44229 Unexpected FORMAT_FAILURE error when using cache-config-file with feature-disabled=persistent-user-sessions infinispan
- #44269 Admin Client creates malformed paths for requests admin/client-js
- #44287 Caching of static theme resources in dev mode is disabled core