Red Hat SummitRelease Notes
Abstract
Chapter 1. Overview
Red Hat build of Keycloak is based on the Keycloak project, which enables you to secure your web applications by providing Web SSO capabilities based on popular standards such as OpenID Connect, OAuth 2.0, and SAML 2.0. The Red Hat build of Keycloak server acts as an OpenIDConnect or SAML-based identity provider (IdP), allowing your enterprise user directory or third-party IdP to secure your applications by using standards-based security tokens.
Chapter 2. Updates for 26.4.10
This release contains several fixed issues and changes related to upgrading. For details, see the Upgrading Guide.
2.1. CVE fixes
- CVE-2026-0707 Keycloak’s authentication pipeline excessively tolerates non-standard Bearer token formats (case variations, Tab characters, multiple spaces, mixed whitespace) in the Authorization header, creating inconsistencies with front-end security controls (WAF/proxies) and enabling potential bypass risks.
- CVE-2026-1190 When SAML is configured to act as a client (SAML brokering) it does not check NotOnOrAfter is defined inside the SubjectConfirmationData. This just affects in the sense that an attacker can delay the response for more of the expected time..
-
CVE-2026-2092 Unauthorized access by improper validation of encrypted SAML assertions. Keycloak validates that plaintext elements are signed when the response root is not signed, but it does not apply the same binding requirement to
<Assertion><EncryptedAssertion> - CVE-2026-2575 An unauthenticated remote attacker can trigger a Denial of Service (DoS) by sending a highly compressed SAMLRequest by the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and process termination.
- CVE-2026-2603 A SAML Identity Provider that is disabled in the broker realm can still complete IdP‑initiated broker logins.
- CVE-2026-2733 Improper Authorization vulnerability in the Docker v2 authentication endpoint (/protocol/docker-v2/auth) of Keycloak. Even after the client is administratively disabled, the endpoint continues to issue valid authentication tokens when provided with valid user credentials and client ID.
- CVE-2026-3047 A SAML client marked Disabled in the broker realm still completes IdP-initiated broker login and creates a realm SSO session.
- CVE-2026-3009 Improper Authorization vulnerability. The flaw occurs because the broker login endpoint does not re-validate the enabled/disabled status of the configured Identity Provider (IdP) at the time of login processing.
Chapter 3. Updates for 26.4.9
This release contains several fixed issues and some notable changes. For details, see the Upgrading Guide.
3.1. CVE fixes
- CVE-2025-13881 The Admin API (/unmanagedAttributes) endpoint fails to respect the visibility configuration defined in the User Profile settings.
- CVE-2025-14559 This vulnerability allows the issuance of access and refresh tokens for disabled users via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.
- CVE-2025-14778 A Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API).
- CVE-2026-1529 Organization invitation tokens in Keycloak are parsed without cryptographic signature verification during the registration flow.
- CVE-2026-1486 A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens.
- CVE-2026-0871 An administrator with manage-users permission can modify unmanaged user attributes in Keycloak, even when the "Only administrators can view" setting is enabled.
- CVE-2026-0976 Keycloak accepts RFC-compliant matrix parameters (e.g., ;param) in path segments, while common reverse proxy configurations may ignore or mishandle them when enforcing access restrictions.
Chapter 4. Updates for 26.4.8
This release contains several fixed issues and the addition of database indexes on the BROKER_LINK table. For details, see the Upgrading Guide.
Chapter 5. Updates for 26.4.7
This release contains several fixed issues.
Chapter 6. Updates for 26.4.6
This release contains several fixed issues and changes related to upgrading. For details, see the Upgrading Guide. Also, this release includes a change to filtering of LDAP referrals to mitigate a CVE.
6.1. Filtering of LDAP referrals
This release adds filtering of LDAP referrals by default. This change enhances security and aligns with best practices for LDAP configurations. If this change is unacceptable, you can disable LDAP referrals in all LDAP providers in all realms.
6.2. Deprecated: Filtering of LDAP referrals
The option
spi-storage—ldap—secure-referral6.3. CVE fix
- CVE-2025-13467 An authenticated realm administrator can configure the LDAP User Federation provider to connect to a malicious LDAP server. By setting the connectionUrl parameter and enabling Referral: follow, the Keycloak server can be forced to deserialize an untrusted Java object from a malicious RMI server during a user sync action.
Chapter 7. Updates for 26.4.5
This release contains several fixed issues.
Chapter 8. Updates for 26.4.4
This release contains several fixed issues and changes related to upgrading. For details, see the Upgrading Guide. Also, an additional feature is deprecated.
8.1. Deprecated: Accepting HTTP requests with non-normalized paths
The
http-accept-non-normalized-pathsBecause this behavior can be problematic for URL filtering, it is deprecated and will be removed in a future release.
Chapter 9. New features and enhancements
The following release notes apply to version 26.4.10 of Red Hat build of Keycloak. This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:
- Passkeys for seamless, passwordless authentication of users.
- Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions.
- Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
- Simplified deployments across multiple availability zones to boost availability.
- FAPI 2 Final: the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
- DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.
- Account recovery with 2FA recovery codes, protecting users from lockout. Broader connectivity with the ability to broker with any OAuth 2.0 compliant authorization server, and enhanced trusted email verification for OpenID Connect providers.
- Asynchronous logging for higher throughput and lower latency, ensuring more efficient deployments.
Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the Upgrading Guide.
9.1. Security and Standards
9.1.1. Passkeys integration is now supported
Passkeys are now seamlessly integrated in the Red Hat build of Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to Authentication, Policies, Webauthn Passwordless Policy and switch Enable Passkeys to enabled.
For more information, see Passkeys.
9.1.2. FAPI 2 Final is now supported
Red Hat build of Keycloak has support for the latest versions of FAPI 2 specifications. Specifications FAPI 2.0 Security Profile and FAPI 2.0 Message Signing are already promoted to Final and Red Hat build of Keycloak supports them. Red Hat build of Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.
Apart from some very minor polishing of existing policies, Red Hat build of Keycloak has new client profiles (
fapi-2-dpop-security-profilefapi-2-dpop-message-signingFor more details, see FAPI Support.
9.1.3. DPoP is now supported
Red Hat build of Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was previously a preview feature. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:
- Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.
- All Red Hat build of Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.
-
Possibility to require the parameter in the OIDC authentication request.
dpop_jkt
For more information, see the DPoP section in the documentation.
9.1.4. FIPS 140-2 mode now supports EdDSA
With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.
9.2. Integration
9.2.1. Automatic certificate management for SAML clients
The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client Settings tab, section Signature and Encryption, configure the Metadata descriptor URL option (the URL where the SP metadata information with the certificates is published) and activate Use metadata descriptor URL. The certificates will be automatically downloaded and cached in the
public-key-storageFor more information, see Creating a SAML client.
9.2.2. Serving as an authorization server in MCP
MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.
To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.
The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Red Hat build of Keycloak.
9.2.3. Simplified linking of user accounts to an identity provider
Client-initiated linking a user account to the identity provider is now based on application-initiated action (AIA) implementation. This functionality aligns configuring this functionality, simplifies the error handling in calling the client application, which makes it more useful for a broader audience.
The custom protocol, which was previously used for client-initiated account linking, is now deprecated.
9.2.4. Brokering with OAuth v2 compliant authorization servers
In previous releases, Red Hat build of Keycloak already supported federation with other OpenID Connect and SAML providers, as well as with several Social Providers like GitHub and Google, which are based on OAuth 2.0.
The new OAuth 2.0 broker now closes the gap to federate with any OAuth 2.0 provider. As a result of this change, you can federate with Amazon or other providers. As this is a generic provider, you need to specify the different claims and a user info endpoint in the provider’s configuration.
For more information, see OAuth v2 identity providers.
9.2.5. Trusted email verification when brokering OpenID Connect Providers
Until now, the OpenID Connect broker did not support the standard
email_verifiedStarting with this release, Red Hat build of Keycloak supports this standard claim as defined by the OpenID Connect Core Specification for federation.
Whenever users are federated for the first time or when they re-authenticate and the Trust email setting is enabled, Sync Mode is set to
FORCEemail_verifiedemail_verified9.3. Administration
9.3.1. Update Email Workflow is now supported
Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.
For more information, see Update Email Workflow.
9.3.2. Optional email domain for organizations
In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional.
When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.
9.3.3. Hiding identity providers from the Account Console
You can now control which identity providers appear in the Account Console based on different options using the
Show in Account consoleFor more information, see General configuration.
9.3.4. Enforce recovery codes setup after setting up OTP
If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP.
9.3.5. New conditional authenticator
The Conditional - credential is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the Passkeys feature. It is added by Red Hat build of Keycloak to the default browser flow to skip 2FA in case a passkey was used to log in as the primary credential.
For more information about conditional flows, see Conditions in conditional flows.
9.3.6. Recovering an account after losing 2FA credentials
Users can get locked out of their accounts when they lose their 2FA credentials. For example, a user may have smart phone with a one-time-password (OTP) generator as a second factor for authentication. That user might lose his phone and be locked out.
To work around this issue, users can print a set of recovery codes as an additional second factor. The recovery codes become an alternative 2FA in the login flow. As a result, the user can gain access without using the OTP generated passwords.
With this release, the recovery codes feature is promoted from preview to a supported feature. For newly created realms, the browser flow now includes the Recovery Authentication Code Form as Disabled, and it can be switched to Alternative by admins if they want to use this feature.
For more information about this 2FA method, see Recovery Codes.
9.3.7. Simplified registration for WebAuthn and Passkeys
Both WebAuthn Register actions (
webauthn-registerwebauthn-register-passwordlessskip_if_existsThis change should make it more convenient to use the AIA in scenarios where a user has already set up WebAuthn or Passkeys. The parameter allows skipping the action if the user already has a credential of that type.
For more information, see Registering WebAuthn credentials using AIA.
9.4. Configuring and Running
9.4.1. Enhancements for single-cluster and multi-cluster setups
This release renamed multi-site to multi-cluster. The updated documentation describes how Red Hat build of Keycloak clusters can be optionally distributed across multiple availability-zones within a region for increased availability. The Red Hat build of Keycloak Operator now deploys Red Hat build of Keycloak across multiple availability zones within a Kubernetes cluster by default. Red Hat build of Keycloak also detects split-brains within a cluster.
This change should provide better availability for users who are running Red Hat build of Keycloak in Kubernetes clusters that span multiple availability zones.
9.4.2. Support for additional databases and versions
With this release, we added support for the following new database vendors:
- EnterpriseDB (EDB) Advanced 17.6
- Azure SQL Database and Azure SQL Managed Instance
Where the previous documentation stated only tested database version, it now states all the supported database versions as well.
9.4.3. Expose management interface by HTTP
Previous versions exposed the management endpoint only by HTTPS when the main interface was using HTTPS.
Set the new option
http-management-schemehttp9.4.4. Expose health endpoints on the main HTTP(S) port
With
health-enabledhttp-management-health-enabledfalsefalse/healthThis allows using the health endpoints in environments where the load balancer might need access to those ports to direct traffic to the correct nodes.
9.4.5. Ability to specify a tlsSecret on the Keycloak CR ingress spec
To support basic TLS termination (edge) deployments by the operator, you may now set the Keycloak CR
spec.ingress.tlsSecret9.4.6. Additional datasources configuration
Some Red Hat build of Keycloak use cases like User Federation might require connecting to additional databases. This was possible only through specifying unsupported raw Quarkus properties in previous Red Hat build of Keycloak versions. In this release, there are now dedicated server options for additional datasources. This allows users to leverage additional databases in their extensions in a supported and user-friendly way.
For more details, see Configure multiple datasources.
9.4.7. Asynchronous logging for higher throughput and lower latency
All available log handlers now support asynchronous logging capabilities. Asynchronous logging helps deployments that require high throughput and low latency.
For more details on this feature, see Asynchronous logging.
9.4.8. HTTP access logging of incoming HTTP requests
Red Hat build of Keycloak supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring.
For more details, see HTTP Access Logging.
9.4.9. Performance improvements: import, export, and migration
The time it takes to run imports, exports or migrations involving a large number of realms has been improved. A cumulative performance degradation for each additional realm processed is no longer an issue.
9.5. Observability
9.5.1. Operator creates a ServiceMonitor automatically
The Operator now includes a
ServiceMonitormonitoring.coreos.com/v1:ServiceMonitorServiceMonitorServiceMonitorspec.serviceMonitor.enabled: falseRed Hat build of Keycloak supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring.
For more information, see Configuring logging.
Chapter 10. Technology preview features
The following new features are in a Technology Preview status:
10.1. Federated client authentication and SPIFFE trust relationship provider
Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service accounts, or tokens issued by a OpenID Connect identity provider.
10.2. Rolling updates for patch releases for minimized downtime
In the previous release, the Keycloak Operator was enhanced to support performing rolling updates of the Keycloak image if both images contain the same version. This is useful, for example, when switching to an optimized image, changing a theme or a provider source code.
In this release, we extended this capability to perform a rolling update when the new image contains a future patch release from the same
major.minorFor more details, see Rolling updates.
10.3. Showing context information in log messages
You can now add context information via the mapped diagnostic context (MDC) to each log message like the realm or the client that initiated the request. This helps you to track down a warning or error message in the log to a specific caller or environment
For more details on this feature, see Adding context for log messages.
10.4. Existing technology preview features
Also, the following existing features remain in a technology preview status:
- Client Secret Rotation
- JavaScript support to write custom authenticators
Chapter 11. Adapter support
At this version of Red Hat build of Keycloak, the following adapters are supported:
- JavaScript adapter: 26.2.1
- Node.js adapter: 26.1.1
- JBoss EAP OpenID Connect adapter: 8.0
- Keycloak SAML Adapter RPM for JBoss EAP: 8.0
Chapter 12. Deprecated features
The following sections provide details on deprecated features.
12.1. Disabling filtering of LDAP referrals
The option
spi-storage—ldap—secure-referral12.2. SPI options separating the provider with a single dash
SPI options ending in
-enabled-provider-default-providerTo resolve this ambiguity, and any potential ambiguity involving SPI and provider names, a new SPI option format was introduced where the scopes and suffix are separated by
---spi-<spi-name>--<provider-name>--...An SPI property ending in
-enabled-provider-default-providerspi-<spi-name>--<provider-name>--enabledFor instance, the correct way to reference your custom email template is:
--spi-email-template--mycustomprovider--enabled--spi-email-template-mycustomprovider-enabledOptions using the legacy format and ending in
-enabled-provider-default-provider12.3. Kubernetes cache stack
The
kubernetesjdbc-pingConsequently, the Keycloak Operator now uses the
jdbc-ping12.4. method RequiredActionProvider.getMaxAuthAge()
The method
RequiredActionProvider.getMaxAuthAge()RequiredActionProvider.getMaxAuthAge(KeycloakSession session)12.5. spi-connections-infinispan-quarkus-site-name
The option
spi-connections-infinispan-quarkus-site-namespi-cache-embedded-default-site-name12.6. Proprietary protocol for client initiated linking to the identity provider account
When you want the user, who is authenticated to your client application, to link his or her account to a specific identity provider, consider using the Application initiated action (AIA) based mechanism with the action
idp_link12.7. Instagram Identity Broker
In this release, the Instagram Identity Broker is deprecated for removal and is not enabled by default. If you are using this broker, it is recommended to use the Facebook Identity Broker instead.
If you are using the Instagram Identity Broker and want to re-enable it, you can do it by enabling the
instagram-brokerfeatures--features=instagram-broker12.8. Local admin
UrlType.LOCAL_ADMINlocalAdminUrl12.9. Password policy Recovery Codes Warning Threshold
In relation to supported Recovery codes, we deprecated the password policy
Recovery Codes Warning Threshold12.10. Scope.getPropertyNames
The
org.keycloak.Config.Scope.getPropertyNames12.11. displayTest field in ConsentScopeRepresentation
The
displayTestConsentScopeRepresentationdisplayTextConsentScopeRepresentation12.12. Lifetime of offline session caches
The options
--spi-user-sessions--infinispan--offline-session-cache-entry-lifespan-override--spi-user-sessions--infinispan--offline-client-session-cache-entry-lifespan-overrideInstead use the options
cache-embedded-offline-sessions-max-countcache-embedded-offline-client-sessions-max-count12.13. Passkeys Conditional UI Authenticator
The authenticator Passkeys Conditional UI Authenticator is deprecated and disabled by default. It now requires the feature
passkeys_conditional_ui_authenticator12.14. Modifying default cache configurations in the cache config file
All Red Hat build of Keycloak default cache configurations have been removed from
conf/cache-ispn.xmlconf/cache-ispn.xml--cache-config-file--cache-config-mutate=trueIn a future major release, the start-up will fail if default cache configurations are stated in those files and the option is not specified.
12.15. Simplified API for UserSessionProvider
In order to retrieve a client session via
UserSessionProvider#getClientSession12.16. Simplified API for AuthenticatedClientSessionModel
The
clientIdgetClient()12.17. Sending OpenID Connect client secret by basic authentication without URL encoding
In a scenario where Red Hat build of Keycloak acts as a broker and connects by OpenID Connect to another identity provider, you can choose to send the client secret as Client secret sent as HTTP Basic authentication without URL encoding (client_secret_basic_unencoded). While this violates RFC6749, it can be used to keep the default behavior of earlier versions of Red Hat build of Keycloak.
Chapter 13. Removed features
The following features have been removed from this release.
13.1. jboss.site.name and jboss.node.name
Both system properties have been used internally within Keycloak and have not been part of the official documentation. Red Hat build of Keycloak will fail to start if those are present.
Instead, use the command line option
spi-cache-embedded-default-site-namejboss.site.namespi-cache-embedded-default-node-namejboss.node.name13.2. KeycloakSessionTask.useExistingSession method
KeycloakSessionTask.useExistingSessionIn previous releases, there was a default implementation in the interface returning
falseChapter 14. Fixed issues
Each release contains fixed issues:
- Red Hat build of Keycloak 26.4.10 fixed issues
- Red Hat build of Keycloak 26.4.9 fixed issues
- Red Hat build of Keycloak 26.4.8 fixed issues
- Red Hat build of Keycloak 26.4.7 fixed issues
- Red Hat build of Keycloak 26.4.6 fixed issues
- Red Hat build of Keycloak 26.4.5 fixed issues
- Red Hat build of Keycloak 26.4.4 fixed issues
- Red Hat build of Keycloak 26.4.2 fixed issues
Chapter 15. Supported configurations
For the supported configurations for Red Hat build of Keycloak 26.4, see Supported configurations.
Chapter 16. Component details
For the list of supported component versions for Red Hat build of Keycloak 26.4, see Component details.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}