fix(deps): update dependency org.keycloak:keycloak-server-spi-private to v26 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
org.keycloak:keycloak-server-spi-private (source)	25.0.6 → 26.6.0

---

Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes

CVE-2026-0871 / GHSA-v4jw-m6rm-399h

More information

Details

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

Severity

• CVSS Score: 4.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-0871
• https://github.com/keycloak/keycloak/issues/45873
• https://github.com/keycloak/keycloak/commit/9d0f679ecea405958f167fcd0f4a6db6ae32c3fa
• https://access.redhat.com/errata/RHSA-2026:2365
• https://access.redhat.com/errata/RHSA-2026:2366
• https://access.redhat.com/security/cve/CVE-2026-0871
• https://bugzilla.redhat.com/show_bug.cgi?id=2428881
• https://github.com/keycloak/keycloak

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

CVE-2026-3190 / GHSA-q35r-vvhv-vx5h

More information

Details

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the uma_protection role check. This allows any authenticated user with a token issued for a resource server client, even without the uma_protection role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-3190
• https://github.com/keycloak/keycloak/issues/46723
• https://github.com/keycloak/keycloak/commit/f1baf25cbb1551202570f954102eb2d270ab0694
• https://access.redhat.com/errata/RHSA-2026:6477
• https://access.redhat.com/errata/RHSA-2026:6478
• https://access.redhat.com/security/cve/CVE-2026-3190
• https://bugzilla.redhat.com/show_bug.cgi?id=2442572
• https://github.com/keycloak/keycloak

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Keycloak: Unauthorized authentication via disabled SAML Identity Provider

CVE-2026-2603 / GHSA-x4p7-7chp-64hq

More information

Details

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-2603
• https://github.com/keycloak/keycloak/issues/46911
• https://github.com/keycloak/keycloak/pull/46932
• https://github.com/keycloak/keycloak/commit/8ed7e59dc08d79751a27c23aadb590f06b43f132
• https://access.redhat.com/errata/RHSA-2026:3925
• https://access.redhat.com/errata/RHSA-2026:3926
• https://access.redhat.com/errata/RHSA-2026:3947
• https://access.redhat.com/errata/RHSA-2026:3948
• https://access.redhat.com/security/cve/CVE-2026-2603
• https://bugzilla.redhat.com/show_bug.cgi?id=2440300
• https://github.com/keycloak/keycloak

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

keycloak/keycloak (org.keycloak:keycloak-server-spi-private)

v26.6.0

Compare Source

Highlights

This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:

• JWT Authorization Grant, enabling external-to-internal token exchange using externally signed JWT assertions.

• Federated client authentication, eliminating the need to manage individual client secrets in Keycloak.

• Workflows, enabling administrators to automate realm administrative tasks such as user and client lifecycle management.

• Zero-downtime patch releases, allowing rolling updates within a minor release stream without service downtime.

• The Keycloak Test Framework, replacing the previous Arquillian-based solution.

All of these features are now fully supported and no longer in preview. Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the upgrading guide.

Security and Standards

JWT Authorization Grant (supported)

JWT Authorization Grant (RFC 7523) is designed to implement external-to-internal token exchange use cases. This grant allows using externally signed JWT assertions to request OAuth 2.0 access tokens.

In this release, JWT Authorization Grant is promoted from preview to supported. See the JWT Authorization Grant guide for additional details.

Federated client authentication (supported)

Federated client authentication allows clients to leverage existing credentials once a trust relationship with another issuer exists. It eliminates the need to assign and manage individual secrets for each client in Keycloak.

Federated client authentication is now promoted to supported, including support for client assertions issued by external OpenID Connect identity providers and Kubernetes Service Accounts.

Since the OAuth SPIFFE Client Authentication specification is still in draft status, this feature remains a preview feature in Keycloak.

New guide about Demonstrating Proof-of-Possession (DPoP)

A new guide for OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) in the Securing applications Guides provides information on how to mitigate the risk of stolen tokens by making tokens sender-constrained.

See Securing applications with DPoP for more details.

Identity Brokering APIs V2 (preview)

A new preview version 2 for the Identity Brokering APIs is introduced in this release. When brokering is used during the authentication process, Keycloak allows you to store tokens and responses issued by the external Identity Provider. Applications can call a specific endpoint to retrieve those tokens, which, in turn, can be used to get extra user information or invoke endpoints in the external trust domain. The new version improves the token retrieval endpoint to substitute the internal to external Token Exchange (use case for the legacy Token Exchange V1).

For more information, see the chapter Identity Brokering APIs in the Server Developer Guide.

Step-up authentication for SAML (preview)

The feature step-up-authentication-saml extends the step-up authentication to include the SAML protocol and clients. This feature is in preview mode. Additional information is available in the Server Administration Guide.

OAuth Client ID Metadata Document (experimental)

OAuth Client ID Metadata Document (CIMD) is an emerging standard that defines a JSON document format for describing OAuth 2.0 client metadata. Since version 2025-11-25, the Model Context Protocol (MCP) requires an authorization server to comply with CIMD. Keycloak now includes experimental support for CIMD, allowing it to serve as an authorization server for MCP version 2025-11-25 or later.

See Integrating with Model Context Protocol (MCP) for the updated guide including CIMD.

Many thanks to Takashi Norimatsu for the contribution.

Administration

Workflows (supported)

Workflows allow administrators to automate and orchestrate realm administrative tasks, bringing key capabilities of Identity Governance and Administration (IGA) to Keycloak. By defining workflows in YAML format, you can automate the lifecycle of realm resources such as users and clients based on events, conditions, and schedules.

In this release, Workflows is promoted from preview to supported. This release also includes new built-in steps, a troubleshooting guide, and various improvements to the workflow engine.

For more details, see the Managing workflows chapter in the Server Administration Guide.

Organization groups

Organizations now support isolated group hierarchies, allowing each organization to manage its own teams and departments without naming conflicts across the realm. This update includes Identity Provider mappers to automatically assign federated users to organization groups based on external claims. Group membership is automatically included in OIDC tokens and SAML assertions when an organization context is requested.

For more details, see the Managing organization groups guide.

New Groups scope for user membership changes

Fine-Grained Admin Permissions (FGAP) now includes a new Groups scope: manage-membership-of-members.

This scope is now used as the group-side bridge for evaluating user-side manage-group-membership permissions based on a user&#​8217;s current group memberships. The existing manage-membership scope keeps its current behavior for target group membership management operations.

Looking up client secrets via the Vault SPI

Secrets for clients can now be managed and looked up by the Vault SPI.

Thank you to Tero Saarni for contributing this change.

Forcing password change for LDAP users

There is now initial support for LDAP password policy control. The support is limited to prompting users to update their password when the LDAP server indicates that the password must be changed. Previously, Keycloak let the user in and ignored the mandatory password reset. There is a new optional setting &#​8220;Enable LDAP password policy&#​8221; in the LDAP advanced settings to enable this.

Thank you to Tero Saarni for contributing this change.

Configuring and Running

Java 25 support

Keycloak now supports running with OpenJDK 25. The server container image continues to use OpenJDK 21 for now to support FIPS mode. For details, see the note in the FIPS guide.

Zero-downtime patch releases (supported)

Zero-downtime patch releases allow you to perform rolling updates when upgrading to a newer patch version within the same major.minor release stream without service downtime.

In this release, zero-downtime patch releases are promoted to supported and enabled by default. When using the Keycloak Operator, set the update strategy to Auto to benefit from this functionality.

For more details on the Operator configuration, see the Avoiding downtime with rolling updates guide.

Installation instructions for CloudNativePG

For those running Keycloak on Kubernetes, there is now a guide on how to deploy a PostgreSQL database on Kubernetes by leveraging the CloudNativePG Operator and how to connect Keycloak to the database.

See Deploying CloudNativePG in multiple availability zones in the High Availability Guide for details.

Simplified database operations

Several new command line options simplify the database operations for Keycloak and remove the need to use raw JDBC connection options:

• Configure TLS for the database connection.

• Database connection timeouts.

• Transaction timeouts with production-ready defaults.

It also verifies the correct UTF-8 character encoding of the database at startup and prints a warning if this is not the case.

When running on orchestrators like Kubernetes, the startup and liveness probes return UP during database migrations, simplifying upgrades by removing the need to adjust the probes during upgrades.

See the migration guide for additional details on each aspect.

Graceful shutdown of HTTP stack

To allow rolling updates for configuration changes or version updates, a graceful shutdown of Keycloak nodes prevents users from seeing error responses when logging in or refreshing their tokens when nodes shut down.

Starting with this version, Keycloak supports a graceful shutdown of the HTTP stack. This includes delaying a shutdown after receiving a termination signal, connection draining for HTTP/1.1 and HTTP/2 connections during that period, and a shutdown timeout to finish ongoing requests.

The defaults are a shutdown delay and a shutdown timeout of one second each. This should be a good fit for setups where the reverse proxy is using TLS edge termination or re-encryption and the reverse proxy is notified about the Keycloak node shutting down at the same time as the Keycloak node. This is a common setup, for example, in Kubernetes environments.

Users should adjust those values depending on their proxy setup. See the section Graceful HTTP shutdown in the reverse proxy guide for more information.

New KCRAW_ prefix for environment variables to preserve literal values

Keycloak now supports a KCRAW_ prefix for environment variables to preserve values containing $ characters exactly as written, without expression evaluation.

When using the standard KC_ prefix, Keycloak (via SmallRye Config) evaluates expressions in values (for example, ${some_key} is resolved and $$ is collapsed to $). This can silently modify passwords or secrets injected by a secrets manager or orchestration tool where manual escaping is not feasible.

Setting KCRAW_<KEY> instead of KC_<KEY> preserves the value exactly as provided.

See the Preserving literal values with the KCRAW_ prefix section in the Server Configuration guide for details.

Automatic reload of lists with disallowed passwords

When a list of disallowed passwords (also known as blacklist) changes, it is automatically reloaded. This avoids the need for a server restart when the list changes.

Thank you to Tero Saarni for contributing this change.

Automatic truststore initialization on Kubernetes and OpenShift

Keycloak now automatically discovers and trusts cluster certificate authorities when running on Kubernetes or OpenShift, without requiring the Operator to preconfigure the truststore.

If present in the container filesystem, the following certificates are added to the system truststore at startup:

• /var/run/secrets/kubernetes.io/serviceaccount/ca.crt (Kubernetes service account CA)

• /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt (OpenShift service CA)

This behavior is enabled by default and can be controlled with the server option --truststore-kubernetes-enabled=true|false (default: true).

Most deployments do not require any action. If you relied on the Operator to manage these truststore entries previously, the server now performs the same function directly.

Client certificate lookup providers for Traefik and Envoy

You can now use new client certificate lookup providers for Traefik and Envoy proxies. For details, see the Enabling Client Certificate Lookup section of the documentation.

Configurable Kubernetes Service name and port in the Keycloak Operator

The Keycloak Operator now supports overriding the name and port of the Kubernetes Service it creates for a Keycloak deployment.

Previously, the Service name was always derived as <cr-name>-service and the Service port always matched the container port. You can now use the spec.http.serviceName, spec.http.serviceHttpsPort, and spec.http.serviceHttpPort fields to configure these independently.

For more details, see the Advanced configuration guide.

Sensitive information is not displayed in the HTTP Access log

If you are using the HTTP Access logging capability, sensitive information is omitted. This means that tokens in the 'Authorization' HTTP header and specific sensitive cookies are not shown.

For more information, see Configuring HTTP access logging.

Configurable log file rotation

It is now possible to configure log file rotation when using Keycloak&#​8217;s built-in file logging handler. This includes a simple option to fully disable log rotation, which is useful when using an external log rotation solution such as logrotate.

To disable log file rotation:

bin/kc.sh start --log="console,file" --log-file-rotation-enabled=false

For more information, see the File logging guide.

HTTP access logs in a dedicated file

HTTP access logs can now be written to a dedicated file, separate from the server logs. This makes it easier to process and archive access logs independently for security auditing and compliance monitoring.

For more information, see Configuring HTTP access logging.

Customizable service fields in JSON log output

Keycloak now provides native options to customize the service.name and service.environment fields in JSON log output across all log handlers (console, file, and syslog).

Previously, when using the ECS format, service.name and service.environment could not be overridden through Keycloak configuration. This made it difficult to align JSON log fields with OpenTelemetry resource attributes.

You can now set these fields using log-service-name and log-service-environment.

For more information, see the Configuring logging guide.

New and updated translations

New translations for Indonesian and Armenian were added. A warm welcome to the new language maintainers for these languages! There are also new language maintainers for the Swedish translation, who translated all remaining message keys. Thank you so much!

Follow the translation progress on the translation status page, help translate, and read the translation guide on how to add additional languages.

Right-to-left language support in the Account UI

Support for right-to-left (RTL) languages was added to the Login UI, Admin UI, and email templates several releases ago. This release adds initial RTL support to the Account UI, which completes this effort.

Observability

Telemetry configuration via the Keycloak CR

Keycloak now supports configuring the OpenTelemetry properties via the Keycloak CR when using the Operator. These properties are shared among the available OpenTelemetry components - logs, metrics, and traces.

For more details, see the Centralize your observability stack with OpenTelemetry guide.

Custom request headers for OpenTelemetry

It is now possible to set request headers for exporting telemetry via OpenTelemetry Protocol (OTLP). This is mainly useful for providing tokens in the request.

You can specify these headers via the telemetry-header-<header> wildcard option, which accepts any custom header name. Alternatively, use telemetry-logs-header-<header> for OpenTelemetry Logs or telemetry-metrics-header-<header> for OpenTelemetry Metrics.

For more details, see the Centralize your observability stack with OpenTelemetry guide.

Service Monitor annotations and labels via the Keycloak CR

It is now possible to configure service monitor labels and annotations via the Keycloak CR when using the Operator.

For more details, see the Advanced Configuration Operator guide.

Extension Development

Keycloak Test Framework (supported)

The Keycloak Test Framework, based on JUnit 6, is now fully supported.

It replaces the previous solution built on top of Arquillian and JUnit 4. Behind the scenes, the framework handles the lifecycle of Keycloak, the database, and any injected resources such as realms and clients.

Tests simply declare what they want, including specific configuration, and the framework takes care of the rest.

For more information, see Keycloak Test Framework.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Deprecated features

• #​45156 Deprecate Token Exchange v1

New features

• #​10155 Step-up authentication for SAML clients authentication
• #​13102 Add support for specifying `client.secret` using vault core
• #​39888 Workflows
• #​42634 Federated client authentication
• #​43144 OAuth Identity and Authorization Chaining Across Domains
• #​43146 New test framework
• #​43152 Authorization Grants
• #​43252 Zero-downtime upgrades between patch releases of Keycloak
• #​43257 Support a Kubernetes Native Database
• #​43507 Add support for Organization-specific Groups
• #​43576 Authorization grant for social providers token-exchange/federated
• #​44833 [OID4VCI] Make natural_person configuration available in all formats oid4vc
• #​45106 OAuth Client ID Metadata Document
• #​45284 CIMD - Persistent CIMD oidc
• #​46633 keycloak operator: add support for different port and name for the kubernetes service definition in the keycloak CRD
• #​47011 Add debug helper utility to the test framework test-framework

Enhancements

• #​10618 Enhancements to logging config dist/quarkus
• #​14523 Add support for enforced password change with LDAP federation ldap
• #​17904 Support RTL UI account/ui
• #​19374 Allow absolute path for cache-config-file? dist/quarkus
• #​19453 The default database transaction timeout should not be applied to Liquibase or data migrations dist/quarkus
• #​20618 Support enabling access logs dist/quarkus
• #​27986 Remove Liquibase dependency version from Keycloak root pom
• #​33160 Add support for X509 client certificate lookup for Envoy
• #​33198 Introduce `resourcesCommonUrl` for E-Mail templates core
• #​33818 Request for Enhancement: Make x509cert-lookup SPI public
• #​34435 OTEL: Add tracing ID to user facing error message observability
• #​35298 Reverse proxy provided context path not working despite setting X-Forwarded-Prefix header dist/quarkus
• #​36226 Provide a read only view of Identity Provider Mappers configuration screen to the Keycloak Admin UI
• #​36710 Have a first-class CLI option to change Keycloak's transaction timeout dist/quarkus
• #​38884 Upgrade command rolling updates for patch releases / step 3: Infinispan/JGroups support
• #​38888 Avoid breaking DB changes during patch releases
• #​40902 More fully document operator upgrade scenarios, in particular with custom images docs
• #​41330 Improve logging of JpaUserSessionPersisterProvider#expire
• #​41353 Provide HTTP access logs written to file with rotation dist/quarkus
• #​41629 Remove Tracing workaround in Infinispan/JGroups classes
• #​42256 DB Connection Pool acquisition timeout errors on database failover core
• #​42626 Provide a way to add custom labels to generated ServiceMonitor
• #​42747 Make DPoP docs more detailed oidc
• #​42876 dev mode should bind only to localhost if possible
• #​42900 Move the logic of scanning Kubernetes CA to Keycloak dist/quarkus
• #​43589 Gracefully shutting down HTTP stack
• #​43701 Improve SimpleHttp API core
• #​43829 Add createdTimestamp filter (before/after) to /admin/realms/{realm}/users
• #​44090 ErrorId for error screens and logging
• #​44101 Allow re-using server when running tests with the new framework
• #​44364 Improve client creation with PKCE in admin console core
• #​44424 findClientSessionsClientIds performance issue storage
• #​44459 Adding the log to the required action to show the cause of syntax violation of the LDAP policy ldap
• #​44846 [OID4VCI]: Ensure OID4VCI optional fields are saved cleanly and use defaults oid4vc
• #​44849 [OID4VCI] Add UI support for `vc.credential_signing_alg` in OID4VCI client scopes oid4vc
• #​44973 Hide Remember Me session settings when Remember Me is disabled in realm login settings
• #​45006 [OID4VCI] Add support for user did as subject id oid4vc
• #​45188 Upgrade to quarkus 3.30.5
• #​45220 OTEL: Ability to specify headers for exporters observability
• #​45231 [OID4VCI] Generate pre-authorized codes using the JWT format oid4vc
• #​45254 Admin UI javascript bundle should have source mapping
• #​45278 Upgrade to Quarkus 3.33.x LTS
• #​45281 Add missing Swedish translations for admin theme messages translations
• #​45322 Linking user with idp fails with generic message if user is already linked identity-brokering
• #​45337 Upgrade to Quarkus 3.31
• #​45348 OTEL: Add Telemetry options to Keycloak CR observability
• #​45360 Document that the the HA architectures are tested with Openshift 4.18
• #​45467 Management interface endpoint lists available endpoints dist/quarkus
• #​45620 Change default not-before validation to 10 second instead of 0 oidc
• #​45623 Avoid unnecessary warning logs during the operator tests execution testsuite
• #​45629 HTTP access log written to file should be in a separate directory dist/quarkus
• #​45689 When a user joins a role or group, it should not read all existing roles and groups from the database
• #​45704 Invite existing users from Admin UI organizations
• #​45718 Improve error message when organization name cannot be used as alias
• #​45795 Promote Keycloak and KeycloakRealmImport CRDs to v2beta1
• #​45841 Add revert button to client credentials page
• #​45880 SAMLEndpoint - increase extensibility by increasing accessibility of some private fields/methods
• #​45882 Use GroupResource context in Groups so that Group components can be reused
• #​45884 Testframework core has dependency on testcontainers
• #​45898 Supported Configurations guide
• #​45909 Add theme clarification blurb to Realm Settings admin/ui
• #​45941 Do not use deprecated test containers in tests testsuite
• #​45944 OTEL: Use suggested 'code.function.name' for span attributes observability
• #​45965 [OID4VCI] Revisit and fix OAuthClient.credentialRequest() oid4vc
• #​45992 Clarify operator instructions involving Wildcard certificates and OpenShift
• #​45996 Enforce `LF` line endings on `*.tsx` files with `.gitattributes`
• #​45999 [OID4VCI] Revisit and fix OAuthClient.credentialOfferUriRequest() oid4vc
• #​46001 [OID4VCI] Revisit and fix OAuthClient.credentialOfferRequest() oid4vc
• #​46043 Upgrade to Quarkus 3.31.2 dist/quarkus
• #​46055 [OID4VCI] Confine test realm setup to TestCase.configureTestRealm()
• #​46156 Add node count and next-node selection to LoadBalancer API
• #​46164 Separate password and OTP brute force protection to prevent OTP bypass attacks by default
• #​46255 Upgrade to Quarkus 3.32.0.CR1 dist/quarkus
• #​46292 Allow to expose WellKnown provider via ServerMetadataResource
• #​46304 SPIFFE Identity Provider default TTL too low
• #​46355 [OID4VCI] Add support for CredentialScopeRepresentation oid4vc
• #​46395 X509 Certificates passed from Traefik PassTlsClientCert middleware broken since 26.5.0 authentication
• #​46421 Revisit Infinispan session idle and lifetime settings
• #​46429 Add username to BrokeredIdentityContext created from JWTBearer Grant token-exchange/federated
• #​46471 Aggregate client-id field for improved Infinispan query
• #​46494 Allow customizing federated identity lookup in JWTAuthorizationGrantType
• #​46531 Consider exposing UUID for admin api v2 resources
• #​46556 For MSSQL Server, set `sendStringParametersAsUnicode` to `false` by default storage
• #​46557 Keycloak should check the Unicode setup of the database on startup
• #​46603 Add Database CLI options for TLS encryption for databases
• #​46617 MCP Documentation for 26.6
• #​46626 Allow to configure Client Assertion max expiration for Kubernetes Identity Provider
• #​46627 Allow to configure Client Assertion max expiration for OIDC Identity Provider
• #​46657 Passwords containing `$$` or `${` patterns are mangled when set via environment variables (SmallRye expression evaluation) dist/quarkus
• #​46671 Allow custom timeouts in DBLockProvider
• #​46689 Remove user input reflection in Token Introspection error responses oidc
• #​46693 Group-level deny policies do not block `manage-group-membership` on group members admin/fine-grained-permissions
• #​46699 CIMD - Performance: Avoid repeated convertContentFilledList() in verifyUri()
• #​46701 CIMD - Performance: Single-pass HTTP Cache-Control header lookup
• #​46703 CIMD - Performance: Eliminate double URI parsing in ClientIdUriSchemeCondition.applyPolicy()
• #​46708 CIMD - Performance: Avoid streaming the directive list multipul times
• #​46711 Upgrade to Quarkus 3.32.1 dist/quarkus
• #​46728 Use quarkus properties ahead of keycloak defaults or map from values
• #​46757 Upgrade to jackson-core 2.21.1
• #​46765 Adding missing question mark
• #​46781 IdP alias is not clickable in organization's Identity Providers tab admin/ui
• #​46796 Document that export is not a backup
• #​46809 Set a default connection timeout for all databases types
• #​46872 Be more explicit on how to enable OTel Logs and Metrics in Operator observability
• #​46874 Be more explicit in using the OTel Logs level observability
• #​46890 Upgrade to Quarkus 3.32.2 dist/quarkus
• #​46936 Reduce tightly coupling between client policy contexts and conditions/executors oidc
• #​46964 Adding more Hungarian translations
• #​46972 Clarify credentials field availability in GET /admin/realms/{realm}/users documentation
• #​47038 Translation support for UI theme descriptions translations
• #​47081 Upgrade to Quarkus 3.32.3 dist/quarkus
• #​47130 Upgrade to Quarkus 3.33.0.CR1 dist/quarkus
• #​47140 Add CLI option for database connection timeout and provide it into quarkus.datasource.jdbc.login-timeout
• #​47146 Keycloak: no native option to customize JSON log service.name and service.environment fields observability
• #​47163 Enhancement: Password denylist file changes should not require server restart
• #​47187 Asynchronous server initialization
• #​47229 Identity Provider redirection via kc_idp_hint in Pushed Authorization Request oidc
• #​47416 Async startup doesn't be enabled when the health check is not enabled
• #​47535 Polishing CNPG installation docs
• #​47667 Update release-notes for CIMD

Bugs

• #​22569 Provide descriptions for default realm-management roles admin/ui
• #​26946 Multiple protocolMappers with the same name. admin/api
• #​28970 Documention about the default db-schema is ambiguous docs
• #​36593 Built-in authentication flows are not updated for KC 26 organizations
• #​37231 Set New Password Multiple Times via Password Reset Function login/ui
• #​38991 [Test framework] Embedded server -> dependency download error when no version is specified test-framework
• #​39127 Incorrect return code with JWT algorithm set to none authentication
• #​40510 Organization flow do not redirect when credentials exist organizations
• #​40753 Resource leak: FileInputStream in Util.readProperties(File) is never closed .SAST core
• #​40921 Reject invalid resource IDs in permission creation
• #​41165 Feishu login has been continuously failing as an identity provider identity-brokering
• #​41630 Warning log message SRCFG01008: The value default has been converted by a Boolean Converter to "false" dist/quarkus
• #​41924 Internal server error after changing Admin UI theme to "base" - An old, persisted problem admin/ui
• Mend Renovate. View the repository job log.