@osbytesTL;DR
- Keycloak 26.6.2 shipped today with sixteen tracked CVEs and a Quarkus 3.33.1.1 bump in the same release note.
- HTTP edge: CVE-2026-33871 HTTP/2 CONTINUATION-frame flood; CVE-2026-33870 chunked-extension parsing yields an HTTP request smuggling primitive.
- Auth surface: CVE-2026-7507 OIDC session fixation leading to account takeover; CVE-2026-6856 WebAuthn AAGUID policy bypass via packed self-attestation; CVE-2026-37982 execute-actions token replay that enrolls WebAuthn credentials on a victim account.
- Authorization Services and admin paths: CVE-2026-4628 UMA
PUTaccess control gap; CVE-2026-4630 IDOR in the Protection API; CVE-2026-37979 missing audience enforcement on the OIDC introspection endpoint; CVE-2026-37978 and CVE-2026-37981 PII enumeration via evaluate-scopes and account resource lookups. - SAML, theme, crypto: CVE-2026-7307
/samlDoS; CVE-2026-37980 stored XSS inselect-organization.ftl; Bouncy Castle bumps fold in CVE-2026-5588, CVE-2026-0636, CVE-2026-3505, CVE-2026-5598.
What shipped
Release note is dense on security and light on feature copy. Beyond the CVE list, maintainers ship routine bug fixes, operator-doc tweaks for CloudNativePG backups, and the Quarkus bump above. Fleets that pin Keycloak images or operator bundles should treat 26.6.2 as the floor for any internet-adjacent realm.
Buckets worth your time
HTTP/2 and smuggling. CVE-2026-33871 is the CONTINUATION-flood family seen whenever a server parses HTTP/2 streams eagerly. CVE-2026-33870 is an RFC violation in chunked extension quoted-string parsing that yields a smuggling primitive. Patch-and-verify items for anyone terminating HTTP in front of Keycloak or running it behind middleboxes that coalesce requests.
Sessions, redirects, token shape. CVE-2026-7507 is session fixation in the OIDC login flow ending in account takeover. CVE-2026-7504 is a redirect URI validation bypass. CVE-2026-7571 covers access token disclosure plus an implicit flow bypass using forged client metadata. Same mental folder as auditing login themes, broker configs, and any custom client registration logic bolted on years ago.
WebAuthn and follow-on enrollment. CVE-2026-6856 is an AAGUID policy bypass through packed self-attestation. CVE-2026-37982 is uglier in practice: execute-actions token replay that drives unauthorized WebAuthn credential enrollment on a victim account. Re-read the upstream issue text before assuming an "email plus WebAuthn" recovery flow is safe.
UMA, introspection, fine-grained admin paths. CVE-2026-4628: improper access control on UMA resource management endpoints via PUT parameters. CVE-2026-4630: IDOR in the Authorization Services Protection API crossing resource-server boundaries. CVE-2026-37979: OIDC introspection endpoint missing audience restriction, leaking claims from lightweight access tokens. CVE-2026-37978: cross-role PII leakage through evaluate-scopes when user-view permissions should have blocked the read. CVE-2026-37981: another broken access control path in account resource user lookup enabling PII enumeration.
SAML, XSS, template escape. CVE-2026-7307 is a denial of service on /saml with a crafted request. CVE-2026-37980 is stored XSS in select-organization.ftl where FreeMarker HTML escaping failed inside an inline JS handler. Same release ships additional FreeMarker / JavaScript injection cleanups (e.g. frontchannel-logout.ftl and broader "escape expressions in JS blocks" work referenced from the changelog table).
Crypto dependency hygiene. Several issues collapse into Bouncy Castle advisories (CVE-2026-5588, CVE-2026-0636, CVE-2026-3505, CVE-2026-5598). Maintainers dragged bcpkix and friends forward rather than re-deriving fixes locally.
What to verify after you bump
Match deployment shape to the bugs actually exposed:
- Edge proxies: confirm HTTP/2 settings and any chunked transfer rewrites still match what Keycloak expects after the smuggling and flood fixes.
- Custom themes or extensions: diff your FTL overrides against upstream fixes for organization pickers, logout, and other script-adjacent templates called out in the issue list.
- WebAuthn and recovery: re-read flows combining execute-actions emails, WebAuthn enrollment, and AAGUID allow lists; replay-style bugs punish convenient recovery shortcuts.
- Authorization Services: if you expose UMA or Protection API surfaces to multi-tenant apps, prioritize CVE-2026-4628 and CVE-2026-4630 in the test plan before declaring the upgrade done.
If you cannot upgrade tonight, inventory where Keycloak terminates TLS versus where a reverse proxy re-encodes HTTP; several network-layer bugs are the kind operators patch twice (once in the app, once in the front door).
Upstream links each numbered item to a GitHub issue in the release note. Fastest way to pull exact preconditions and repro hints without trusting a paraphrase.