26.5.7 is a critical security release patching 7 CVEs, including privilege escalation, redirect URI bypass, and unauthorized cross-user permission grants. Upgrade immediately.
securityPatch now — multiple high-severity CVEs in this release
Seven CVEs are fixed here, spanning privilege escalation (CVE-2026-4282), redirect URI bypass (CVE-2026-3872), cross-user permission injection (CVE-2026-4636), and an unauthenticated DoS via scope processing (CVE-2026-4634). These aren't theoretical — attackers with basic access or even anonymous access could exploit several of these. Upgrade to 26.5.7 as fast as your change process allows. If you use UMA policies or expose the Admin REST API, treat this as an emergency patch.
securityAudit Admin REST API access and UMA policy configurations post-upgrade
CVE-2025-14083 (Admin API info disclosure) and CVE-2026-4636 (UMA cross-user permission grants) suggest that access controls around admin and UMA endpoints were not properly enforced. After upgrading, review which clients and service accounts have Admin REST API access, and audit your UMA resource/policy definitions for unexpected grants. Don't assume the patch alone closes the exposure if misconfigured principals already exploited these paths.
enhancementQuarkus upgraded to 3.27.3 — monitor for runtime behavior changes
The Quarkus runtime bump also pulls in a fix for CVE-2026-1002 (vertx-core static handler cache manipulation causing DoS on static files). If you serve static content through Keycloak or have customized themes, verify those assets load correctly after upgrade. Quarkus minor upgrades occasionally shift default configurations, so a smoke test on your login flows is worth running.
Key changes (5)
- CVE-2025-14083: Admin REST API improper access control leaks information to unauthorized callers
- CVE-2026-4282: Forged authorization codes possible due to SingleUseObjectProvider isolation flaw — privilege escalation risk
- CVE-2026-3872: Redirect URI validation bypassed via ..;/ path traversal in the OIDC auth endpoint
- CVE-2026-4636: UMA policy resource injection allows unauthorized cross-user permission grants
- CVE-2026-4634: Application-level DoS via scope processing — no authentication required to trigger