Security26.5.7
Keycloak 26.5.7
Security update addressing seven CVEs including improper access control in Admin REST API, UMA policy injection vulnerabilities, OIDC redirect URI validation bypass, and privilege escalation via forged authorization codes. Also includes upgrade to Quarkus 3.27.3 and a bug fix for Host header handling.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #45493 CVE-2025-14083 keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure
admin/api - #45569 CVE-2026-1002 - io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files
- #47069 CVE-2026-3429 Improper Access Control for LoA During Credential Deletion
account/api - #47716 CVE-2026-4634 Keycloak Application-Level DoS via Scope Processing
- #47717 CVE-2026-4636 UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
- #47718 CVE-2026-3872 Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
- #47719 CVE-2026-4282 Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
Enhancements
- #46631 Upgrade to Quarkus 3.27.3
dist/quarkus
Bugs
- #45204 Call without Host header throws uncaught error
core
securitycveapioidcadminuma
Source: original entry ↗