Keycloak 26.5.6 released

March 19 2026

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #45645 CVE-2026-1180 - Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri oidc
• #45647 CVE-2026-1035 - Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition oidc
• #45650 CVE-2025-14777 - Keycloak IDOR in realm client creating/deleting
• #45653 CVE-2025-14082 keycloak-server: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure
• #46719 CVE-2026-3121 - Keycloak: Privilege escalation via manage-clients permission
• #46723 CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API core
• #46922 CVE-2026-3911 Keycloak: Information disclosure of disabled user attributes via administrative endpoint user-profile
• #47062 CVE-2026-2366 Authorization Bypass: Unprivileged tokens can enumerate user organization memberships organizations

Bugs

• #45889 Federated user disabled when external DB unavailable, never re-enabled storage
• #46239 AUTH_SESSION_ID cookie reuse causes cross-user session contamination on re-authentication authentication
• #46296 UsersResource.search briefRepresentation started to return user attributes admin/api
• #46379 Unexpected error when logging out with offline session and external IDP oidc
• #46459 Operator-built DB config: targetServerType=primary not applied / connection validation not working after master-replica failover (26.5.0) operator
• #46588 Partial LDAP sync duration does not follow the defined value in user federation ldap
• #46605 26.5.4 startup regression with many realms: RealmCacheSession.prepareCachedRealm() scans master admin role composites per realm (O(N²)) core
• #46656 Em-Hyphens in SPI options on cache configuration page docs
• #46663 JGroups bind port configuration ignored when --cache-embedded-network-bind-port set infinispan
• #46669 SPIFFE Client assertion throws a NullPointerException if no client is found token-exchange
• #47079 Do not allow fetching organizations of a member if not a member of the current organization organizations