Keycloak — Security, Auth product updates and releases, tracked on megachangelog.
Changed access requirements for SCIM API endpoints ServiceProviderConfig, ResourceTypes, and Schemas to require only query-users or query-groups permissions instead of more restrictive access controls.
This release addresses 14 critical and high-severity CVEs covering OIDC token handling, WebAuthn validation, CORS bypass, SSRF vulnerabilities, and privilege escalation issues. Additionally, it includes multiple bug fixes for core functionality and enhancements to Quarkus and dependencies.
Keycloak 26.6.2 is a patch release that includes 16 critical security fixes addressing CVEs related to HTTP/2 CONTINUATION frame floods, HTTP request smuggling, improper access control in UMA endpoints, stored XSS vulnerabilities, WebAuthn attestation bypasses, and various authentication and token handling vulnerabilities. Also includes bug fixes and enhancements to monitoring, installation documentation, and Quarkus upgrade to 3.33.1.1.
Keycloak 26.4.12 has been released with version-specific updates and improvements.
Keycloak version 26.2.16 has been released with various updates and improvements.
This release addresses two critical security vulnerabilities including a blind SSRF via HTTP redirect handling and user enumeration via identity-first login. It also includes bug fixes for session token handling, admin client installation issues, and various other stability improvements.
Keycloak 26.6.0 promotes JWT Authorization Grant, Federated Client Authentication, and Workflows from preview to fully supported, enabling external token exchange, credential federation without managing secrets, and realm automation. The release also adds Organization Groups, DPoP guidance, Identity Brokering APIs V2, step-up SAML authentication, and LDAP password policy enforcement.
Security update addressing seven CVEs including improper access control in Admin REST API, UMA policy injection vulnerabilities, OIDC redirect URI validation bypass, and privilege escalation via forged authorization codes. Also includes upgrade to Quarkus 3.27.3 and a bug fix for Host header handling.