Keycloak
26.6.2SecurityKeycloak 26.6.2 is a security-heavy patch release addressing 16 CVEs spanning session fixation, XSS, access control bypass, redirect URI validation, and cryptographic weaknesses. Upgrade immediately.
securityUpgrade immediately — multiple account takeover and data leakage CVEs
This release patches session fixation (CVE-2026-7507) enabling account takeover, redirect URI bypass (CVE-2026-7504), access token disclosure (CVE-2026-7571), stored XSS in org templates (CVE-2026-37980), and PII enumeration via account resource lookup (CVE-2026-37981). These are not theoretical — they affect standard OIDC flows and admin APIs. Any Keycloak 26.x deployment should be upgraded to 26.6.2 without delay. Check your change management process, but treat this as an emergency patch.
securityFreeMarker RCE risk — audit custom login themes before upgrading
CVE tracked under #47915 allowed FreeMarker templates to instantiate arbitrary Java objects and execute OS commands. If you have custom login themes that accept any user-influenced input in FTL files, audit them now. The fix adds proper expression escaping in JS blocks within FTL pages. After upgrading, test your custom themes to ensure the new escaping doesn't break existing behavior — especially in frontchannel-logout.ftl.
securityWebAuthn AAGUID policy bypass — re-verify authenticator enrollment policies
CVE-2026-6856 allowed packed self-attestation to bypass AAGUID allowlist policies during WebAuthn registration. If you rely on AAGUID restrictions to enforce specific authenticator hardware (e.g., FIDO2 security keys in regulated environments), credentials may have been enrolled that violate your policy. After upgrading, review recently enrolled WebAuthn credentials and consider requiring re-enrollment if strict hardware attestation is a compliance requirement.
Key changes (5)
- 16 CVEs patched including critical issues: session fixation in OIDC flow (account takeover), redirect URI validation bypass, access token disclosure via forged client data, and stored XSS in organization template
- WebAuthn AAGUID policy bypass via packed self-attestation fixed — attestation enforcement was not reliable before this patch
- OIDC introspection endpoint now enforces audience restrictions, preventing claim leakage from lightweight access tokens
- FreeMarker templates hardened against object instantiation and OS command execution — a serious RCE-class vulnerability in login UI
- JDBC_PING cluster discovery updated to not break under 26.7 schema changes, easing rolling upgrades