Update keycloak.version [SECURITY] - abandoned#83
Open
renovate[bot] wants to merge 2 commits intomainfrom
Open
Update keycloak.version [SECURITY] - abandoned#83renovate[bot] wants to merge 2 commits intomainfrom
renovate[bot] wants to merge 2 commits intomainfrom
Conversation
Co-authored-by: Johannes Pahle <82645554+ITegs@users.noreply.github.com>
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/keycloak.version
branch
from
7b01f94 to
b7ef567
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/keycloak.version
branch
from
b7ef567 to
f24902a
Compare
renovate
Bot
force-pushed
the
renovate/keycloak.version
branch
from
f24902a to
66208b5
Compare
renovate
Bot
changed the title
Contributor
Author
Autoclosing SkippedThis PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error. |
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
26.5.0→26.6.026.5.0→26.6.026.5.0→26.6.1Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes
CVE-2026-0871 / GHSA-v4jw-m6rm-399h
More information
Details
A flaw was found in Keycloak. An administrator with
manage-userspermission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak: Unauthorized authentication via disabled SAML Identity Provider
CVE-2026-2603 / GHSA-x4p7-7chp-64hq
More information
Details
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure
CVE-2026-3190 / GHSA-q35r-vvhv-vx5h
More information
Details
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the
uma_protectionrole check. This allows any authenticated user with a token issued for a resource server client, even without theuma_protectionrole, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak services allows the issuance of access and refresh tokens for disabled users
CVE-2025-14559 / GHSA-wv3h-x6c4-r867
More information
Details
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.
Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak affected by improper invitation token validation
CVE-2026-1529 / GHSA-hcvw-475w-8g7p
More information
Details
A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens
CVE-2026-1486 / GHSA-37gf-gmxv-74wv
More information
Details
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes
CVE-2025-13881 / GHSA-g78x-7vwx-9f58
More information
Details
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.
Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService
CVE-2025-14778 / GHSA-fm6w-rrp3-2x4w
More information
Details
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator
CVE-2026-3009 / GHSA-m297-3jv9-m927
More information
Details
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak: Denial of Service due to excessive SAMLRequest decompression
CVE-2026-2575 / GHSA-xv6h-r36f-3gp5
More information
Details
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak: manage-clients permission escalates to full realm admin access
CVE-2026-3121 / GHSA-7xf9-4jfc-wgm4
More information
Details
A flaw was found in Keycloak. An administrator with
manage-clientspermission can exploit a misconfiguration where this permission is equivalent tomanage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
CVE-2026-4282 / GHSA-hj93-h7pg-fh6v
More information
Details
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak: Replay of action tokens via improper handling of single-use entries
CVE-2026-4325 / GHSA-rx66-hj7g-28h7
More information
Details
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
CVE-2026-3872 / GHSA-cjm2-j6cm-6p6m
More information
Details
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
CVE-2026-4636 / GHSA-f2hx-5fx3-hmcv
More information
Details
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak: Application-Level DoS via Scope Processing
CVE-2026-4634 / GHSA-h4wv-g838-66g3
More information
Details
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
CVE-2026-2092 / GHSA-wmxr-6j5f-838p
More information
Details
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Keycloak's identity-first login flow exposes user information
CVE-2026-4633 / GHSA-rhgq-f8x5-j2jc
More information
Details
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
keycloak/keycloak (org.keycloak:keycloak-server-spi-private)
v26.6.0Compare Source
Highlights
This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:
JWT Authorization Grant, enabling external-to-internal token exchange using externally signed JWT assertions.
Federated client authentication, eliminating the need to manage individual client secrets in Keycloak.
Workflows, enabling administrators to automate realm administrative tasks such as user and client lifecycle management.
Zero-downtime patch releases, allowing rolling updates within a minor release stream without service downtime.
The Keycloak Test Framework, replacing the previous Arquillian-based solution.
All of these features are now fully supported and no longer in preview. Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the upgrading guide.
Security and Standards
JWT Authorization Grant (supported)
JWT Authorization Grant (RFC 7523) is designed to implement external-to-internal token exchange use cases. This grant allows using externally signed JWT assertions to request OAuth 2.0 access tokens.
In this release, JWT Authorization Grant is promoted from preview to supported. See the JWT Authorization Grant guide for additional details.
Federated client authentication (supported)
Federated client authentication allows clients to leverage existing credentials once a trust relationship with another issuer exists. It eliminates the need to assign and manage individual secrets for each client in Keycloak.
Federated client authentication is now promoted to supported, including support for client assertions issued by external OpenID Connect identity providers and Kubernetes Service Accounts.
Since the OAuth SPIFFE Client Authentication specification is still in draft status, this feature remains a preview feature in Keycloak.
New guide about Demonstrating Proof-of-Possession (DPoP)
A new guide for OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) in the Securing applications Guides provides information on how to mitigate the risk of stolen tokens by making tokens sender-constrained.
See Securing applications with DPoP for more details.
Identity Brokering APIs V2 (preview)
A new preview version 2 for the Identity Brokering APIs is introduced in this release. When brokering is used during the authentication process, Keycloak allows you to store tokens and responses issued by the external Identity Provider. Applications can call a specific endpoint to retrieve those tokens, which, in turn, can be used to get extra user information or invoke endpoints in the external trust domain. The new version improves the token retrieval endpoint to substitute the internal to external Token Exchange (use case for the legacy Token Exchange V1).
For more information, see the chapter Identity Brokering APIs in the Server Developer Guide.
Step-up authentication for SAML (preview)
The feature
step-up-authentication-samlextends the step-up authentication to include the SAML protocol and clients. This feature is in preview mode. Additional information is available in the Server Administration Guide.OAuth Client ID Metadata Document (experimental)
OAuth Client ID Metadata Document (CIMD) is an emerging standard that defines a JSON document format for describing OAuth 2.0 client metadata. Since version 2025-11-25, the Model Context Protocol (MCP) requires an authorization server to comply with CIMD. Keycloak now includes experimental support for CIMD, allowing it to serve as an authorization server for MCP version 2025-11-25 or later.
See Integrating with Model Context Protocol (MCP) for the updated guide including CIMD.
Many thanks to Takashi Norimatsu for the contribution.
Administration
Workflows (supported)
Workflows allow administrators to automate and orchestrate realm administrative tasks, bringing key capabilities of Identity Governance and Administration (IGA) to Keycloak. By defining workflows in YAML format, you can automate the lifecycle of realm resources such as users and clients based on events, conditions, and schedules.
In this release, Workflows is promoted from preview to supported. This release also includes new built-in steps, a troubleshooting guide, and various improvements to the workflow engine.
For more details, see the Managing workflows chapter in the Server Administration Guide.
Organization groups
Organizations now support isolated group hierarchies, allowing each organization to manage its own teams and departments without naming conflicts across the realm. This update includes Identity Provider mappers to automatically assign federated users to organization groups based on external claims. Group membership is automatically included in OIDC tokens and SAML assertions when an organization context is requested.
For more details, see the Managing organization groups guide.
New Groups scope for user membership changes
Fine-Grained Admin Permissions (FGAP) now includes a new
Groupsscope:manage-membership-of-members.This scope is now used as the group-side bridge for evaluating user-side
manage-group-membershippermissions based on a user’s current group memberships. The existingmanage-membershipscope keeps its current behavior for target group membership management operations.Looking up client secrets via the Vault SPI
Secrets for clients can now be managed and looked up by the Vault SPI.
Thank you to Tero Saarni for contributing this change.
Forcing password change for LDAP users
There is now initial support for LDAP password policy control. The support is limited to prompting users to update their password when the LDAP server indicates that the password must be changed. Previously, Keycloak let the user in and ignored the mandatory password reset. There is a new optional setting “Enable LDAP password policy” in the LDAP advanced settings to enable this.
Thank you to Tero Saarni for contributing this change.
Configuring and Running
Java 25 support
Keycloak now supports running with OpenJDK 25. The server container image continues to use OpenJDK 21 for now to support FIPS mode. For details, see the note in the FIPS guide.
Zero-downtime patch releases (supported)
Zero-downtime patch releases allow you to perform rolling updates when upgrading to a newer patch version within the same
major.minorrelease stream without service downtime.In this release, zero-downtime patch releases are promoted to supported and enabled by default. When using the Keycloak Operator, set the update strategy to
Autoto benefit from this functionality.For more details on the Operator configuration, see the Avoiding downtime with rolling updates guide.
Installation instructions for CloudNativePG
For those running Keycloak on Kubernetes, there is now a guide on how to deploy a PostgreSQL database on Kubernetes by leveraging the CloudNativePG Operator and how to connect Keycloak to the database.
See Deploying CloudNativePG in multiple availability zones in the High Availability Guide for details.
Simplified database operations
Several new command line options simplify the database operations for Keycloak and remove the need to use raw JDBC connection options:
Configure TLS for the database connection.
Database connection timeouts.
Transaction timeouts with production-ready defaults.
It also verifies the correct UTF-8 character encoding of the database at startup and prints a warning if this is not the case.
When running on orchestrators like Kubernetes, the startup and liveness probes return UP during database migrations, simplifying upgrades by removing the need to adjust the probes during upgrades.
See the migration guide for additional details on each aspect.
Graceful shutdown of HTTP stack
To allow rolling updates for configuration changes or version updates, a graceful shutdown of Keycloak nodes prevents users from seeing error responses when logging in or refreshing their tokens when nodes shut down.
Starting with this version, Keycloak supports a graceful shutdown of the HTTP stack. This includes delaying a shutdown after receiving a termination signal, connection draining for HTTP/1.1 and HTTP/2 connections during that period, and a shutdown timeout to finish ongoing requests.
The defaults are a shutdown delay and a shutdown timeout of one second each. This should be a good fit for setups where the reverse proxy is using TLS edge termination or re-encryption and the reverse proxy is notified about the Keycloak node shutting down at the same time as the Keycloak node. This is a common setup, for example, in Kubernetes environments.
Users should adjust those values depending on their proxy setup. See the section Graceful HTTP shutdown in the reverse proxy guide for more information.
New
KCRAW_prefix for environment variables to preserve literal valuesKeycloak now supports a
KCRAW_prefix for environment variables to preserve values containing$characters exactly as written, without expression evaluation.When using the standard
KC_prefix, Keycloak (via SmallRye Config) evaluates expressions in values (for example,${some_key}is resolved and$$is collapsed to$). This can silently modify passwords or secrets injected by a secrets manager or orchestration tool where manual escaping is not feasible.Setting
KCRAW_<KEY>instead ofKC_<KEY>preserves the value exactly as provided.See the Preserving literal values with the KCRAW_ prefix section in the Server Configuration guide for details.
Automatic reload of lists with disallowed passwords
When a list of disallowed passwords (also known as blacklist) changes, it is automatically reloaded. This avoids the need for a server restart when the list changes.
Thank you to Tero Saarni for contributing this change.
Automatic truststore initialization on Kubernetes and OpenShift
Keycloak now automatically discovers and trusts cluster certificate authorities when running on Kubernetes or OpenShift, without requiring the Operator to preconfigure the truststore.
If present in the container filesystem, the following certificates are added to the system truststore at startup:
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt(Kubernetes service account CA)/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt(OpenShift service CA)This behavior is enabled by default and can be controlled with the server option
--truststore-kubernetes-enabled=true|false(default:true).Most deployments do not require any action. If you relied on the Operator to manage these truststore entries previously, the server now performs the same function directly.
Client certificate lookup providers for Traefik and Envoy
You
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.