RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Keycloak解除 ×

Keycloak

Security2026年4月15日

26.6.1 is a security patch release fixing two CVEs — blind SSRF and user enumeration — plus a critical migration bug that broke authentication flows when upgrading from older versions.

  • securityPatch immediately for SSRF and user enumeration CVEs

    Two CVEs in 26.6.0 (and earlier) need your attention. CVE-2026-4366 allows blind SSRF through HTTP redirect handling — a real risk if Keycloak can reach internal services. CVE-2026-4633 leaks user existence through identity-first login, which aids credential stuffing. Upgrade to 26.6.1 now. If you can't upgrade immediately, consider disabling identity-first login as a short-term mitigation for CVE-2026-4633.

  • breakingIf you upgraded to 26.6.0, check your custom authentication flows immediately

    The MigrateTo26_6_0 migration script had a bug that modified custom browser flows, potentially breaking realm authentication silently. If you upgraded to 26.6.0 and noticed login failures or unexpected flow behavior, this is why. Upgrading to 26.6.1 fixes the migration, but you may need to manually review and repair any already-affected custom flows in your realms. Audit them before upgrading in production.

  • breaking26.6.0 JS/Java admin clients were broken — use 26.6.1 packages

    Both @keycloak/keycloak-admin-client (JS) and the Java admin client had packaging issues in 26.6.0 that prevented installation or sync. If your pipelines or applications depend on these libraries and you pinned to 26.6.0, they are likely broken. Update your dependency references to 26.6.1 immediately.

主な変更 (5)
  • CVE-2026-4366: Blind SSRF via HTTP redirect handling in core — attackers could probe internal network resources
  • CVE-2026-4633: User enumeration via identity-first login — leaks whether usernames exist in the system
  • MigrateTo26_6_0 bug fixed: upgrading to 26.6.0 was silently corrupting custom browser authentication flows in existing realms
  • Infinite redirect loop fixed when IdP returns access_denied with kc_idp_hint set
  • Database at-rest encryption support added; CloudNativePG operator updated to 1.29
原文

Keycloak

Security2026年4月8日

Keycloak 26.6.0 graduates several preview features to fully supported — JWT Authorization Grant, Federated Client Auth, Workflows, and zero-downtime patch releases — while fixing a notable set of security bugs across UMA, SCIM, and Organizations.

  • securityPatch SCIM and UMA vulnerabilities immediately

    Two separate SCIM bugs allowed IDOR-style resource modification and authorization bypass in group management. UMA permission grant accepted expired ID tokens and tokens issued to other clients. These are fixed in 26.6.0. If you use SCIM or UMA, upgrade now — no config change needed, but verify your SCIM plugin/extension is compatible with the new validation.

  • breakingSwitch to KCRAW_ prefix if secrets contain $ characters

    If you inject passwords or secrets via environment variables and they contain $ characters (e.g., from a secrets manager), the KC_ prefix silently mangles them via SmallRye expression evaluation. Use KCRAW_<KEY> instead of KC_<KEY> to preserve literal values. Audit your current env var injection before upgrading — any secrets with ${ or $$ patterns may have been silently broken in prior versions.

  • enhancementEnable zero-downtime rolling updates in your Operator deployments

    Zero-downtime patch releases are now on by default. If you run Keycloak via the Operator, explicitly set the update strategy to Auto to benefit. Also review the new graceful HTTP shutdown defaults (1s delay, 1s timeout) — adjust these upward if your reverse proxy takes longer to drain connections, especially in non-Kubernetes setups with longer-lived connections.

主な変更 (7)
  • JWT Authorization Grant (RFC 7523) and Federated Client Authentication are now GA, enabling external-to-internal token exchange without managing per-client secrets
  • Zero-downtime patch releases are now enabled by default; Operator users should set update strategy to Auto
  • New KCRAW_ environment variable prefix prevents SmallRye from mangling passwords containing $ characters — addresses a silent data-corruption bug
  • UMA permission grant now rejects expired ID tokens and tokens issued to different clients (security fixes #46716, #46717)
  • SCIM IDOR bug fixed: PUT endpoint no longer allows resource modification via body ID override (#46658); SCIM authorization bypass in group management also patched (#47536)
  • OTP and password brute-force protection separated by default to prevent OTP bypass attacks (#46164)
  • Keycloak and KeycloakRealmImport CRDs promoted to v2beta1
原文

Keycloak

Security2026年3月19日

Keycloak 26.5.6 is a critical security release patching 8 CVEs spanning SSRF, token reuse, IDOR, privilege escalation, and multiple information disclosure vulnerabilities. Upgrade immediately.

  • securityPatch all 8 CVEs — upgrade to 26.5.6 now

    This release fixes eight CVEs covering SSRF, token replay, privilege escalation, IDOR, and multiple information disclosure paths. Three of these (SSRF via jwks_uri, privilege escalation via manage-clients, and auth session contamination) are particularly dangerous in multi-tenant or public-facing deployments. There is no workaround — upgrade is the only fix. If you're on any 26.x version, treat this as an emergency patch.

  • securityAudit manage-clients grants and OIDC Dynamic Client Registration usage

    CVE-2026-3121 (privilege escalation via manage-clients) and CVE-2026-1180 (SSRF via jwks_uri in dynamic client registration) both require reviewing your current permission grants and feature flags. After upgrading, audit which users/service accounts hold manage-clients. If you don't use OIDC Dynamic Client Registration, disable it at the realm level to eliminate the SSRF attack surface entirely.

  • breakingVerify Operator DB config and multi-realm startup behavior post-upgrade

    The 26.5.0 Operator regression for DB targetServerType=primary (affecting master-replica failover) and the O(N²) startup scan introduced in 26.5.4 are both fixed here. If you hit either of these bugs, validate your DB connection failover behavior and startup times after upgrading. Large deployments with many realms should see noticeably faster restarts.

主な変更 (6)
  • CVE-2026-1180: Blind SSRF via OIDC Dynamic Client Registration jwks_uri — attackers can probe internal network endpoints
  • CVE-2026-1035: Refresh token reuse bypass via TOCTOU race condition — token replay attacks become possible
  • CVE-2026-3121: Privilege escalation via manage-clients permission — low-privilege users may gain elevated access
  • CVE-2025-14777: IDOR in realm client create/delete — unauthorized cross-realm client manipulation
  • Bug fix: AUTH_SESSION_ID cookie reuse caused cross-user session contamination on re-authentication — a serious data isolation issue
  • Bug fix: O(N²) startup regression with many realms introduced in 26.5.4 is resolved — large deployments were severely impacted
原文