Keycloak
26.5.4SecurityKeycloak 26.5.4 is a critical security patch release addressing 5 CVEs including SAML vulnerabilities and authorization bypass issues. Includes performance improvements and cluster stability fixes.
securityImmediate upgrade required for multiple CVEs
This release fixes 5 CVEs including authorization bypass and DoS vulnerabilities. Review your SAML configurations and Docker registry protocol usage. Schedule immediate upgrade during next maintenance window, especially if using SAML brokering or have Docker registry integrations.
securityVerify client secret exposure in configurations
CVE fix addresses client secret disclosure on unauthenticated endpoints. After upgrade, audit your client configurations and rotate any potentially exposed secrets. Review access logs for unauthorized config endpoint access.
enhancementOptimize cluster performance post-upgrade
New session ID key affinity and improved caching will enhance performance in clustered deployments. Monitor login page response times and cluster stability after upgrade - you should see reduced database queries and better load distribution.
Key changes (5)
- Fixed 5 critical CVEs including SAML response delays, authorization header parsing bypass, and DoS vulnerabilities
- Resolved client secret information disclosure on unauthenticated config endpoints
- Enhanced session ID key affinity mechanism for improved load balancing
- Fixed cluster rejoining issues with 3+ node configurations using jdbc-ping
- Improved database query caching performance on login page loads