RATATOSKRATATOSK
ログイン

Keycloak

26.6.4Security
2026年6月27日

Keycloak 26.6.4 is a security release fixing eight CVEs, including two critical issues (privilege escalation and JWT authentication bypass) and four high-severity authorization bypasses. Operators should upgrade promptly; the release also bumps Quarkus to 3.33.2.1.

  • securityTwo critical vulnerabilities: group-admin escalation and JWT auth bypass

    CVE-2026-9099 lets a group admin escalate to realm-admin, and CVE-2026-11800 allows authentication bypass via JWT algorithm confusion. Both are rated critical. Upgrade to 26.6.4 as soon as possible.

  • securityFour high-severity authorization and access-control bypasses

    CVE-2026-9705 (client takeover via registration access token), CVE-2026-9795 (privilege escalation via scope mapping), CVE-2026-9799 (UMA permission ticket bypass), and CVE-2026-9800 (policy enforcer authorization bypass via incorrect URI comparison) are all rated high. If you use UMA authorization, fine-grained scope mappings, or the Policy Enforcer, prioritize this upgrade.

  • securityTwo medium-severity issues: info disclosure and XSS

    CVE-2026-9083 (filesystem path probing) and CVE-2026-9086 (XSS via case-insensitive URI validation bypass) are rated medium and round out the fix set.

主な変更 (5)

  • Eight CVEs fixed in this release, two rated critical: CVE-2026-9099 (group-admin to realm-admin escalation) and CVE-2026-11800 (JWT algorithm confusion auth bypass)
  • Four high-severity fixes: client takeover via registration access token (CVE-2026-9705), scope-mapping privilege escalation (CVE-2026-9795), UMA permission ticket bypass (CVE-2026-9799), and Policy Enforcer authorization bypass via URI comparison (CVE-2026-9800)
  • Two medium-severity fixes: filesystem path probing information disclosure (CVE-2026-9083) and URI validation bypass XSS (CVE-2026-9086)
  • Quarkus dependency bumped to 3.33.2.1
  • Minor build and packaging fixes: Infinispan protoschema build on the 26.2 branch, CI fixes for JS and Admin Client test suites, keycloak-api-docs-dist packaging, plus a migration guide reference correction