Keycloak
26.5.6SecurityKeycloak 26.5.6 is a critical security release patching 8 CVEs spanning SSRF, token reuse, IDOR, privilege escalation, and multiple information disclosure vulnerabilities. Upgrade immediately.
securityPatch all 8 CVEs — upgrade to 26.5.6 now
This release fixes eight CVEs covering SSRF, token replay, privilege escalation, IDOR, and multiple information disclosure paths. Three of these (SSRF via jwks_uri, privilege escalation via manage-clients, and auth session contamination) are particularly dangerous in multi-tenant or public-facing deployments. There is no workaround — upgrade is the only fix. If you're on any 26.x version, treat this as an emergency patch.
securityAudit manage-clients grants and OIDC Dynamic Client Registration usage
CVE-2026-3121 (privilege escalation via manage-clients) and CVE-2026-1180 (SSRF via jwks_uri in dynamic client registration) both require reviewing your current permission grants and feature flags. After upgrading, audit which users/service accounts hold manage-clients. If you don't use OIDC Dynamic Client Registration, disable it at the realm level to eliminate the SSRF attack surface entirely.
breakingVerify Operator DB config and multi-realm startup behavior post-upgrade
The 26.5.0 Operator regression for DB targetServerType=primary (affecting master-replica failover) and the O(N²) startup scan introduced in 26.5.4 are both fixed here. If you hit either of these bugs, validate your DB connection failover behavior and startup times after upgrading. Large deployments with many realms should see noticeably faster restarts.
Key changes (6)
- CVE-2026-1180: Blind SSRF via OIDC Dynamic Client Registration jwks_uri — attackers can probe internal network endpoints
- CVE-2026-1035: Refresh token reuse bypass via TOCTOU race condition — token replay attacks become possible
- CVE-2026-3121: Privilege escalation via manage-clients permission — low-privilege users may gain elevated access
- CVE-2025-14777: IDOR in realm client create/delete — unauthorized cross-realm client manipulation
- Bug fix: AUTH_SESSION_ID cookie reuse caused cross-user session contamination on re-authentication — a serious data isolation issue
- Bug fix: O(N²) startup regression with many realms introduced in 26.5.4 is resolved — large deployments were severely impacted