
Keycloak 26.6.4 — If Your Instance Is Reachable From the Internet, Update
· Security · IDPTrust
Keycloak 26.6.4 was released on June 26, 2026, just three weeks after 26.6.3. It is again almost entirely a security release: 8 CVEs fixed. Topping the list are an authentication bypass via JWT algorithm confusion and an escalation from group-admin to realm-admin — two flaws that, in the worst case, let an attacker take administrative control of a realm. If your Keycloak instance is reachable over the network, update.
Here are the points that matter most.
The most urgent ones
CVE-2026-11800 — Authentication bypass via JWT algorithm confusion
Keycloak accepts a JWT signed with an algorithm other than the expected one, enabling the classic algorithm confusion attack (for example, treating an RSA public key as an HMAC secret, or downgrading signature verification). The result is an authentication bypass: an attacker can forge a token that Keycloak accepts as valid without holding the legitimate signing key. This is the most severe flaw in the release and the first one to close.
CVE-2026-9099 — group-admin escalation to realm-admin
An account with administrative permissions scoped to a single group can escalate to full realm-admin privileges. It turns a deliberately narrow role — typically delegated to team leads or partners — into full control over the realm's users, clients, and configuration. Critical in any multi-tenant deployment or one that uses delegated administration.
Privilege escalation and authorization bypass
- CVE-2026-9795 — Privilege escalation via improper scope mapping enforcement. The scope mapping check is not enforced correctly, so a token can end up with scopes — and therefore permissions — it should not have.
- CVE-2026-9799 — Unauthorized access to resources via UMA permission ticket bypass. The User-Managed Access permission ticket flow can be bypassed to gain access to protected resources without proper authorization.
- CVE-2026-9800 — Policy enforcer authorization bypass via incorrect URI comparison. The policy enforcer compares URIs incorrectly, allowing protected paths to be reached that policy should have blocked.
- CVE-2026-9705 — Re-enabling and taking over disabled clients via the registration access token. A still-valid registration access token lets an attacker re-enable a previously disabled client and take it over.
Information disclosure and XSS
- CVE-2026-9083 — Information disclosure via arbitrary filesystem path probing. An attacker can infer the existence of files and paths on the server by probing filesystem paths.
- CVE-2026-9086 — Cross-site scripting (XSS) via case-insensitive URI validation bypass. A capitalization difference lets an attacker bypass URI validation and inject content that ends up executing in the victim's browser.
Infrastructure and dependencies
This release upgrades to Quarkus 3.33.2.1 and fixes several build and CI issues (JavaScript build problems, Admin Client test failures, incorrect migration guide documentation, and deployment issues with keycloak-api-docs-dist).
Migration changes
Before upgrading, review the official migration guide to confirm no change affects your configuration.
Should you update?
Yes. CVE-2026-11800 (authentication bypass) and CVE-2026-9099 (escalation to realm-admin) are the two to focus on first — either can lead to administrative compromise of the realm. The privilege escalation and authorization bypass group (9795, 9799, 9800, 9705) is especially relevant if you rely on fine-grained authorization, UMA, or the policy enforcer in your adapters. Plan the upgrade as soon as possible.
Full release notes: keycloak.org/2026/06/keycloak-2664-released
At IDPTrust we specialize in Keycloak in production. If you need help assessing the impact of this release on your setup or planning the upgrade, get in touch.