Keycloak 26.5.7 released

April 02 2026

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #45493 CVE-2025-14083 keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure admin/api
• #45569 CVE-2026-1002 - io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files
• #47069 CVE-2026-3429 Improper Access Control for LoA During Credential Deletion account/api
• #47716 CVE-2026-4634 Keycloak Application-Level DoS via Scope Processing
• #47717 CVE-2026-4636 UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
• #47718 CVE-2026-3872 Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
• #47719 CVE-2026-4282 Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

Enhancements

• #46631 Upgrade to Quarkus 3.27.3 dist/quarkus

Bugs

• #45204 Call without Host header throws uncaught error core