26.6.1 is a security patch release fixing two CVEs — blind SSRF and user enumeration — plus a critical migration bug that broke authentication flows when upgrading from older versions.
securityPatch immediately for SSRF and user enumeration CVEs
Two CVEs in 26.6.0 (and earlier) need your attention. CVE-2026-4366 allows blind SSRF through HTTP redirect handling — a real risk if Keycloak can reach internal services. CVE-2026-4633 leaks user existence through identity-first login, which aids credential stuffing. Upgrade to 26.6.1 now. If you can't upgrade immediately, consider disabling identity-first login as a short-term mitigation for CVE-2026-4633.
breakingIf you upgraded to 26.6.0, check your custom authentication flows immediately
The MigrateTo26_6_0 migration script had a bug that modified custom browser flows, potentially breaking realm authentication silently. If you upgraded to 26.6.0 and noticed login failures or unexpected flow behavior, this is why. Upgrading to 26.6.1 fixes the migration, but you may need to manually review and repair any already-affected custom flows in your realms. Audit them before upgrading in production.
breaking26.6.0 JS/Java admin clients were broken — use 26.6.1 packages
Both @keycloak/keycloak-admin-client (JS) and the Java admin client had packaging issues in 26.6.0 that prevented installation or sync. If your pipelines or applications depend on these libraries and you pinned to 26.6.0, they are likely broken. Update your dependency references to 26.6.1 immediately.
Key changes (5)
- CVE-2026-4366: Blind SSRF via HTTP redirect handling in core — attackers could probe internal network resources
- CVE-2026-4633: User enumeration via identity-first login — leaks whether usernames exist in the system
- MigrateTo26_6_0 bug fixed: upgrading to 26.6.0 was silently corrupting custom browser authentication flows in existing realms
- Infinite redirect loop fixed when IdP returns access_denied with kc_idp_hint set
- Database at-rest encryption support added; CloudNativePG operator updated to 1.29