Keycloak 26.5.4 released

February 20 2026

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

#45646 CVE-2026-1190 - Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData saml
#45649 CVE-2026-0707: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass
#45776 CVE-2025-5416 keycloak-core: Keycloak Environment Information
#46372 CVE-2026-2575 - Denial of Service due to excessive SAMLRequest decompression saml
#46462 CVE-2026-2733 Missing Check on Disabled Client for Docker Registry Protocol

#44488 "Update email" AIA: "Back to Application" URL invokes OIDC callback with missing parameters oidc
#45065 Client deletion timeout due to large number of client roles storage
#45680 auth_mellon (SAML) authentication fails after upgrade to 26.5.1 (from 26.4.6) saml
#45728 Information Disclosure of Client Secret on Unauthenticated Config Endpoint oidc
#45874 Disabled organizations still resolve in organization‑aware login flows organizations
#45966 KeycloakRealmImport: Realm created in DB but not visible in Admin Console until restart operator
#45980 Keycloak cluster with 3 nodes and jdbc-ping stack fails to rejoin after temporary network partition infinispan
#46100 Makes Database Query on Every Login Page Load Instead of Using Cache infinispan
#46150 Move upgrading note for SAML to 26.5.4 docs
#46178 Regression: cannot authenticate in keycloak-admin-client adapter/javascript
#46290 Incorrect code used error, leading to "400 / Code already used" during Infinispan state transfers infinispan
#46303 JWT Authorization Grant: Always getting “Token was issued too far in the past to be used now” for EntraID issued tokens oidc
#46312 io.fabric8:docker-maven-plugin:0.40.3:start failed: Cannot invoke "com.google.gson.JsonElement.isJsonNull()" because the return value of "com.google.gson.JsonObject.get(String)" is null ci