RATATOSKRATATOSK
ログイン

Keycloak

26.6.3Security
2026年6月5日

Keycloak 26.6.3 is a critical security release fixing 16 CVEs spanning OIDC, SAML, LDAP, WebAuthn, and authorization services. Upgrade immediately.

  • securityUpgrade to 26.6.3 now — 16 CVEs, several high-severity

    This release patches a dense cluster of vulnerabilities. The most dangerous include: CVE-2026-9704 (privilege escalation via silent subject_token removal in token exchange), CVE-2026-4874 (SSRF via OIDC token endpoint), CVE-2026-9802 (rotated refresh token reuse after server restart with revokeRefreshToken=true), and CVE-2026-8830 (missing WebAuthn server-side validation). If you're running any 26.x version, treat this as an emergency patch. Review the migration guide before upgrading, but don't delay the upgrade waiting for a maintenance window — schedule one immediately.

  • securityAudit redirect URI configs after wildcard matching fix

    CVE fix for wildcard redirect URI matching (issue #48430) changes enforcement behavior — '*' placed directly after a hostname no longer matches arbitrary subdomains or paths. After upgrading, verify that legitimate client redirect URIs still work correctly in your environments. Any client relying on overly broad wildcard patterns should be tightened anyway; this is a good forcing function.

  • securityReview LDAP federation and token exchange configurations

    Two targeted vectors: CVE-2026-9801 allows DoS via malformed PasswordPolicyControl in LDAP federation — if you expose LDAP federation to partially-trusted inputs or have external-facing auth flows backed by LDAP, this is high priority. CVE-2026-9704 affects any realm using token exchange with subject_token; the fix prevents silent removal of subject_token from escalating privileges. Confirm your token exchange policies are scoped correctly post-upgrade.

主な変更 (5)

  • 16 CVEs patched: privilege escalation via token exchange, SSRF on OIDC endpoint, CORS header reflection from unverified JWT claims, WebAuthn registration bypass, and more
  • Refresh token revocation bypass fixed: server restarts no longer reset startupTime, closing a window where rotated tokens could be reused when revokeRefreshToken=true
  • Wildcard redirect URI matching now enforces host boundaries — previous behavior allowed subdomain/path bypass attacks
  • ROPC grant client policy enforcement and token introspection notBefore handling both patched to close privilege escalation paths
  • Startup check added for missing DB indexes; SQL Server case-sensitive collation upgrade failure fixed