Keycloak 26.5.2 released

January 23 2026

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #44994 CVE-2025-67735 - netty-codec-http: Request Smuggling via CRLF Injection dependencies

Enhancements

• #43443 Keycloak should warn when ISPN or JGROUPS is running in debug level logging
• #45498 Ignore OpenAPI artifacts when disabled dist/quarkus

Bugs

• #44785 Can not get through SSO login if using a custom attribute with default value user-profile
• #45015 Deadlock in Infinispan virtual threads infinispan
• #45250 IDToken contains duplicate address claims oidc
• #45333 User admin events don't show role, group mapping, reset password like events admin/ui
• #45396 Database Migration fails when updating to 26.5.0 on MS SQL core
• #45415 cache-remote-host becomes mandatory at build time when using clusterless feature infinispan
• #45417 Unmanaged Attributes Type (Only administrators can view) allows admin API to set Unmanaged Attributes user-profile
• #45474 Admin REST API document is not up to date docs
• #45526 Regression (26.5.1): Organizations domain resolution fails on MariaDB/MySQL due to ORG/ORG_DOMAIN collation mismatch organizations
• #45533 Keycloak should not allow matrix parameters in URLs as we don't use them dist/quarkus
• #45570 CVE-2025-66560 - io.quarkus/quarkus-rest: Quarkus REST Worker Thread Exhaustion Vulnerability
• #45584 Keycloak supported specs should list DPoP as supported oidc
• #45590 OIDCIdentityProviderConfig issuer configuration token-exchange
• #45597 Possible mismatch of charset/collation between columns on mysql/mariadb organizations
• #45651 CVE-2025-14559 keycloak-services: Keycloak keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users