Deploying to main from @ a58e5b5078cef1678bda0b890ebb809d45b3dc7e 🚀

Author: keycloak-bot

2026/05/keycloak-2662-released.html

@@ -0,0 +1,163 @@
+
+<!doctype html>
+<html lang="en" prefix="og: https://ogp.me/ns#">
+<head>
+<script async src="https://www.googletagmanager.com/gtag/js?id=G-0J2P9316N6"></script>
+<script>
+window.dataLayer = window.dataLayer || [];
+function gtag(){dataLayer.push(arguments);}
+gtag('js', new Date());
+gtag('config', 'G-0J2P9316N6');
+</script>
+<meta charset="utf-8"/>
+<title>Keycloak 26.6.2 released - Keycloak</title>
+<meta name="twitter:card" content="summary_large">
+<meta name="twitter:site" content="@keycloak">
+<meta property="og:site_name" content="Keycloak">
+<meta property="og:title" content="Keycloak 26.6.2 released">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<meta name="description" property="og:description" content="Keycloak - the open source identity and access management solution. Add single-sign-on and authentication to applications and secure services with minimum effort.">
+<meta name="author" content="Keycloak Team">
+<meta name="keywords" content="sso,idm,openid connect,saml,kerberos,ldap">
+<link href="https://www.keycloak.org/resources/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet">
+<link href="https://www.keycloak.org/resources/@fortawesome/fontawesome-free/css/all.min.css" rel="stylesheet">
+<link href="https://www.keycloak.org/resources/css/keycloak.css" rel="stylesheet">
+<link rel="canonical" href="https://www.keycloak.org/2026/05/keycloak-2662-released">
+<meta property="og:url" content="https://www.keycloak.org/2026/05/keycloak-2662-released">
+<link rel="icon" type="image/x-icon" href="https://www.keycloak.org/resources/favicon.ico">
+<link rel="icon" type="image/vnd.microsoft.icon" href="https://www.keycloak.org/resources/favicon.ico">
+<link rel="icon" type="image/svg+xml" href="https://www.keycloak.org/resources/favicon.svg">
+<link rel="alternate" type="application/rss+xml" title="Keycloak's Blog" href="https://www.keycloak.org/rss.xml">
+<script type="application/ld+json">
+{"@context":"https://schema.org/","@type":"BlogPosting","@id":"https://www.keycloak.org/2026/05/keycloak-2662-released","headline":"Keycloak 26.6.2 released","name":"Keycloak 26.6.2 released","datePublished":"2026-05-19T08:00:00Z","inLanguage":"en","url":"https://www.keycloak.org/2026/05/keycloak-2662-released","publisher":{"@type":"Organization","@id":"https://keycloak.org","name":"Keycloak"}}
+</script></head>
+<body>
+
+<header class="navbar navbar-expand-md bg-light shadow-sm">
+<nav class="container-xxl flex-wrap flex-md-no-wrap navbar-light" data-nosnippet>
+    <a class="navbar-brand me-3 me-md-4 me-lg-5" href="https://www.keycloak.org/">
+        <img style="aspect-ratio: 730/151" class="img-fluid" src="https://www.keycloak.org/resources/images/logo.svg" width="240" alt="Keycloak"/>
+    </a>
+    <a class="nav-link d-none d-sm-block d-md-none d-lg-block" href="https://github.com/keycloak/keycloak"><img src="https://www.keycloak.org/resources/images/stars-large.svg" style="height: 25px; aspect-ratio: 124/20" alt="GitHub stars"/></a>
+    <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
+      <span class="fa fa-bars fa-lg px-1 py-2"></span>
+    </button>
+    <div class="collapse navbar-collapse" id="navbarCollapse">
+      <ul class="navbar-nav flex-row flex-wrap bd-navbar-nav pt-2 py-md-0">
+        <li class="nav-item col-6 col-md-auto">
+          <a class="nav-link " href="https://www.keycloak.org/guides">Guides</a>
+        </li>
+        <li class="nav-item col-6 col-md-auto">
+          <a class="nav-link " href="https://www.keycloak.org/documentation">Docs</a>
+        </li>
+        <li class="nav-item col-6 col-md-auto">
+          <a class="nav-link " href="https://www.keycloak.org/downloads">Downloads</a>
+        </li>
+        <li class="nav-item col-6 col-md-auto">
+          <a class="nav-link " href="https://www.keycloak.org/community">Community</a>
+        </li>
+        <li class="nav-item col-6 col-md-auto">
+          <a class="nav-link " href="https://www.keycloak.org/blog">Blog</a>
+        </li>
+      </ul>
+    </div>
+    <div class="d-block d-sm-none d-md-block d-lg-none text-center vw-100">
+        <a class="nav-link d-inline p-0" href="https://github.com/keycloak/keycloak"><img src="https://www.keycloak.org/resources/images/stars-large.svg" style="height: 25px; aspect-ratio: 124/20" alt="GitHub stars"/></a>
+    </div>
+</nav>
+</header>
+
+
+<div class="container mt-5 kc-article kc-asciidoc">
+    <h1>Keycloak 26.6.2 released</h1>
+    <p class="blog-date text-muted">May 19 2026</p>
+
+
+<p>To download the release go to <a href="https://www.keycloak.org/downloads.html">Keycloak downloads</a>.</p>
+
+
+<h2>Upgrading</h2>
+<p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p>
+
+<h2>All resolved issues</h2>
+
+<h3>Security fixes</h3>
+<ul>
+<li><a href="https://github.com/keycloak/keycloak-private/issues/381">#381</a> [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration / #YWH-PGM40475-168 <code>private</code></li>
+<li><a href="https://github.com/keycloak/keycloak-private/issues/392">#392</a> [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access) / #YWH-PGM40475-113 <code>private</code></li>
+<li><a href="https://github.com/keycloak/keycloak-private/issues/407">#407</a> [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission #YWH-PGM40475-171 <code>private</code></li>
+<li><a href="https://github.com/keycloak/keycloak-private/issues/427">#427</a> [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens / #YWH-PGM40475-220 <code>private</code></li>
+<li><a href="https://github.com/keycloak/keycloak-private/issues/453">#453</a> [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account <code>private</code></li>
+<li><a href="https://github.com/keycloak/keycloak-private/issues/531">#531</a> [CVE-2026-7507] [Vulnerability Report] Session fixation in OIDC login flow leading to account takeover <code>private</code></li>
+<li><a href="https://github.com/keycloak/keycloak-private/issues/573">#573</a> [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data <code>private</code></li>
+<li><a href="https://github.com/keycloak/keycloak-private/issues/578">#578</a> [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak <code>private</code></li>
+<li><a href="https://github.com/keycloak/keycloak-private/issues/594">#594</a> [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint <code>private</code></li>
+<li><a href="https://github.com/keycloak/keycloak-private/issues/685">#685</a> [CVE-2026-7307]  Denial of service when sending a crafted request to the /saml endpoint <code>private</code></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/47485">#47485</a> CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/47486">#47486</a> CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/47932">#47932</a> [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters <code>authorization-services</code></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48049">#48049</a> [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler <code>organizations</code></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48275">#48275</a> CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules <code>core</code></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48388">#48388</a> [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration <code>authentication/webauthn</code></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48570">#48570</a> [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs <code>core</code></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/49108">#49108</a> [CVE-2026-7307]  Denial of service when sending a crafted request to the /saml endpoint </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/49109">#49109</a> [CVE-2026-7504]  Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/49110">#49110</a> [CVE-2026-7571]  Access token disclosure and implicit flow bypass via forged client data </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/49111">#49111</a> [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/49112">#49112</a> [CVE-2026-37982]  Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/49113">#49113</a> [CVE-2026-37979]  OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/49114">#49114</a> [CVE-2026-37978]  Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/49115">#49115</a> [CVE-2026-4630]  Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access) </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/49116">#49116</a> [CVE-2026-37981]  Broken Access Control in Account Resources User Lookup allows PII enumeration </li>
+</ul>
+
+
+
+
+<h3>Enhancements</h3>
+<ul>
+<li><a href="https://github.com/keycloak/keycloak/issues/47728">#47728</a> Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/47734">#47734</a> Add dedicated "Monitoring Standbys" section to the general installation documentation </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48329">#48329</a> JDBC_PING in 26.6 should not fail with 26.7 schema changes </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48348">#48348</a> Escape expressions in JS blocks in FTL pages </li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48687">#48687</a> Upgrade to Quarkus 3.33.1.1 </li>
+</ul>
+
+<h3>Bugs</h3>
+<ul>
+<li><a href="https://github.com/keycloak/keycloak/issues/38526">#38526</a> Duplicate user attribute values cannot be removed <span class="badge bg-secondary">core</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/40602">#40602</a> Account UI reports "Something went wrong" when opening an unknown path <span class="badge bg-secondary">account/ui</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/47882">#47882</a> Broken link in deploy-cnpg <span class="badge bg-secondary">docs</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/47901">#47901</a> Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled <span class="badge bg-secondary">admin/fine-grained-permissions</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/47915">#47915</a> FreeMarker templates allow instantiation of new objects and even running OS commands <span class="badge bg-secondary">login/ui</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/47987">#47987</a> FGAP v2 Specific Group permission has no scopes found in resource <span class="badge bg-secondary">admin/fine-grained-permissions</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48030">#48030</a> Update to operator version 26.6.0 needs deletion of all objects <span class="badge bg-secondary">operator</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48040">#48040</a> User session limit generates fatal error <span class="badge bg-secondary">authentication</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48094">#48094</a> Wrong referenced resource type in Workflow handling for clients <span class="badge bg-secondary">core</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48123">#48123</a> Clarify canonicalization in X.509 authentication <span class="badge bg-secondary">authentication</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48143">#48143</a> Ordering of permission and policy calls leads to exposure of a client ID <span class="badge bg-secondary">admin/api</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48185">#48185</a> Deleted workflow still attempting to run <span class="badge bg-secondary">workflows</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48241">#48241</a> JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title <span class="badge bg-secondary">authentication</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48259">#48259</a> Kubernetes identity providers docs still mention it to be a preview feature <span class="badge bg-secondary">docs</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48313">#48313</a> No escape approach for JS code inside the front channel logout FTL <span class="badge bg-secondary">login/ui</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48536">#48536</a> Review migration guide for rolling updates changes <span class="badge bg-secondary">workflows</span></li>
+<li><a href="https://github.com/keycloak/keycloak/issues/48629">#48629</a> WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout <span class="badge bg-secondary">ci</span></li>
+</ul>
+
+</div>
+
+
+<div class="container mt-5" data-nosnippet>
+    <footer class="py-3 my-4 border-top">
+        <p class="text-center text-muted">Keycloak is a Cloud Native Computing Foundation incubation project</p>
+        <div class="text-center">
+            <img style="aspect-ratio: 300/48" alt="Cloud Native Computing Foundation" src="https://www.keycloak.org/resources/images/cncf_logo.png" loading="lazy"/>
+        </div>
+        <p class="mt-4 text-center small text-muted">&copy; Keycloak Authors 2026. &copy; 2026 The Linux Foundation. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage">Trademark Usage page</a>.</p>
+    </footer>
+</div>
+
+<script src="https://www.keycloak.org/resources/bootstrap/dist/js/bootstrap.min.js" type="text/javascript"></script>
+<script src="https://www.keycloak.org/resources/tocbot/dist/tocbot.min.js" type="text/javascript"></script>
+</body>
+</html>

archive/documentation-26.6.html

@@ -83,7 +83,7 @@ <h2 class="mt-4">Guides</h2>
     <tbody>
     <tr>
         <td>
-            <a href="https://www.keycloak.org/docs/26.6.1/release_notes/index.html" target="_blank">
+            <a href="https://www.keycloak.org/docs/26.6.2/release_notes/index.html" target="_blank">
                 Release Notes
             </a>
         </td>
@@ -92,7 +92,7 @@ <h2 class="mt-4">Guides</h2>
     </tr>
     <tr>
         <td>
-            <a href="https://www.keycloak.org/docs/26.6.1/server_admin/index.html" target="_blank">
+            <a href="https://www.keycloak.org/docs/26.6.2/server_admin/index.html" target="_blank">
                 Server Administration
             </a>
         </td>
@@ -102,7 +102,7 @@ <h2 class="mt-4">Guides</h2>
     </tr>
     <tr>
         <td>
-            <a href="https://www.keycloak.org/docs/26.6.1/server_development/index.html" target="_blank">
+            <a href="https://www.keycloak.org/docs/26.6.2/server_development/index.html" target="_blank">
                 Server Developer
             </a>
         </td>
@@ -112,7 +112,7 @@ <h2 class="mt-4">Guides</h2>
     </tr>
     <tr>
         <td>
-            <a href="https://www.keycloak.org/docs/26.6.1/authorization_services/index.html" target="_blank">
+            <a href="https://www.keycloak.org/docs/26.6.2/authorization_services/index.html" target="_blank">
                 Authorization Services
             </a>
         </td>
@@ -122,7 +122,7 @@ <h2 class="mt-4">Guides</h2>
     </tr>
     <tr>
         <td>
-            <a href="https://www.keycloak.org/docs/26.6.1/upgrading/index.html" target="_blank">
+            <a href="https://www.keycloak.org/docs/26.6.2/upgrading/index.html" target="_blank">
                 Upgrading
             </a>
         </td>
@@ -139,7 +139,7 @@ <h2 class="mt-4">API Documentation</h2>
     <tbody>
     <tr>
         <td>
-            <a href="https://www.keycloak.org/docs-api/26.6.1/javadocs/index.html" target="_blank">
+            <a href="https://www.keycloak.org/docs-api/26.6.2/javadocs/index.html" target="_blank">
                 JavaDoc
             </a>
         </td>
@@ -149,7 +149,7 @@ <h2 class="mt-4">API Documentation</h2>
     </tr>
     <tr>
         <td>
-            <a href="https://www.keycloak.org/docs-api/26.6.1/rest-api/index.html" target="_blank">
+            <a href="https://www.keycloak.org/docs-api/26.6.2/rest-api/index.html" target="_blank">
                 Administration REST API
             </a>
         </td>