fix(deps): update keycloakclientversion to v26 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.keycloak:keycloak-core (source)	25.0.6 -> 26.3.1
org.keycloak:keycloak-admin-client (source)	25.0.6 -> 26.0.6

---

Release Notes

keycloak/keycloak (org.keycloak:keycloak-core)

v26.3.1

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #​40851 Upgrade to Infinispan 15.0.16.Final
• #​40962 Update limitations of the preview feature rolling updates for patch releases infinispan

Bugs

• #​35932 Importing a realm takes more than 1 minute when multiple others exist. dist/quarkus
• #​40368 NPE during loading user groups with concurrent deletion storage
• #​40713 Unable to configure TLS reloading in Keycloak version 26.2.0 or later account/api
• #​40838 Mark options for additional datasources as preview dist/quarkus
• #​40890 Keycloak Operator 26.3.0 fails to update to 26.3.0 operator
• #​40930 Docs: server_development/topics/themes.adoc docs
• #​40954 Keycloak 26.3.0 Regression: Failed to login if web-authn is disabled core

v26.3.0

Compare Source

Highlights

This release delivers advancements to optimize your system and improve the experience of users, developers and administrators:

• Account recovery with 2FA recovery codes, protecting users from lockout.

• Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions.

• Broader connectivity with the ability to broker with any OAuth 2.0 compliant authorization server, and enhanced trusted email verification for OpenID Connect providers.

• Asynchronous logging for higher throughput and lower latency, ensuring more efficient deployments.

• For administrators, experimental rolling updates for patch releases mean minimized downtime and smoother upgrades.

Read on to learn more about each new feature, and find additional details in the upgrading guide if you are upgrading from a previous release of Keycloak.

Recovering your account if you lose your 2FA credentials

When using for example a one-time-password (OTP) generators as a second factor for authenticating users (2FA), a user can get locked out of their account when they, for example, lose their phone that contains the OTP generator. To prepare for such a case, the recovery codes feature allows users to print a set of recovery codes as an additional second factor. If the recovery codes are then allowed as an alternative 2FA in the login flow, they can be used instead of the OTP generated passwords.

With this release, the recovery codes feature is promoted from preview to a supported feature. For newly created realms, the browser flow now includes the Recovery Authentication Code Form as Disabled, and it can be switched to Alternative by admins if they want to use this feature.

For more information about this 2FA method, see the Recovery Codes chapter in the Server Administration Guide.

Performance improvements to import, export and migration

The time it takes to run imports, exports or migrations involving a large number of realms has been improved. There is no longer a cumulative performance degradation for each additional realm processed.

Simplified registration for WebAuthn and Passkeys

Both WebAuthn Register actions (webauthn-register and webauthn-register-passwordless) which are also used for Passkeys now support a parameter skip_if_exists when initiated by the application (AIA).

This should make it more convenient to use the AIA in scenarios where a user has already set up WebAuthn or Passkeys. The parameter allows skipping the action if the user already has a credential of that type.

For more information, see the Registering WebAuthn credentials using AIA chapter in the Server Administration Guide.

Simplified linking of the user account to an identity provider

Client-initiated linking a user account to the identity provider is now based on application-initiated action (AIA) implementation. This functionality aligns configuring this functionality and simplifies the error handling the calling of the client application, making it more useful for a broader audience.

The custom protocol, which was previously used for client-initiated account linking, is now deprecated.

Brokering with OAuth v2 compliant authorization servers

In previous releases Keycloak already supported federation with other OpenID Connect and SAML providers, as well as with several Social Providers like GitHub and Google which are based on OAuth 2.0.

The new OAuth 2.0 broker now closes the gap to federate with any OAuth 2.0 provider. This then allows you to federate, for example, with Amazon or other providers. As this is a generic provider, you will need to specify the different claims and a user info endpoint in the provider&#​8217;s configuration.

For more information, see the OAuth v2 identity providers chapter in the Server Administration Guide.

Trusted email verification when brokering OpenID Connect Providers

Until now, the OpenID Connect broker did not support the standard email_verified claim available from the ID Tokens issued by OpenID Connect Providers.

Starting with this release, Keycloak supports this standard claim as defined by the OpenID Connect Core Specification for federation.

Whenever users are federated for the first time or re-authenticating and if the Trust email setting is enabled, Sync Mode is set to FORCE and the provider sends the email_verified claim, the user account will have their email marked according to the email_verified claim. If the provider does not send the claim, it defaults to the original behavior and sets the email as verified.

Asynchronous logging for higher throughput and lower latency

All available log handlers now support asynchronous logging capabilities. Asynchronous logging helps deployments that require high throughput and low latency.

For more details on this opt-in feature, see the Logging guide.

Rolling updates for patch releases for minimized downtime (preview)

In the previous release, the Keycloak Operator was enhanced to support performing rolling updates of the Keycloak image if both images contain the same version. This is useful, for example, when switching to an optimized image, changing a theme or a provider source code.

In this release, we extended this to perform rolling update when the new image contains a future patch release from the same major.minor release stream as a preview feature. This can reduce the service&#​8217;s downtime even further, as downtime is only needed when upgrading from a different minor or major version.

Read more on how to enable this feature in update compatibility command.

Passkeys integrated in the default username forms

In this release Keycloak integrates Passkeys in the default authentications forms. A new switch Enable Passkeys is available in the configuration, Authentication → Policies → Webauthn Passwordless Policy, that seamlessly incorporates passkeys support to the realm. With just one click, Keycloak offers conditional and modal user interfaces in the default login forms to allow users to authenticate with a passkey.

The Passkeys feature is still in preview. Follow the Enabling and disabling features guide to enable it.

For more information, see Passkeys section in the Server Administration Guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

• #​21995 Configurable probes in the Operator operator
• #​29116 Add supported config options for additional datasources dist/quarkus
• #​29596 Passkeys conditional UI: integration with username/password form authentication/webauthn
• #​38465 Name for OTP device should be unique account/api
• #​38985 Possibility to log details and representation to the jboss-logging listener
• #​39408 make MaxAuthAge configurable for required actions authentication
• #​40021 Passkeys conditional UI: integration with independent username and password form authentication/webauthn
• #​40033 Deprecate or remove the current conditionalUI authenticator authentication/webauthn

Enhancements

• #​12025 Get multiple users by Ids admin/api
• #​21277 Support IPv6 only environments dist/quarkus
• #​23283 Allow Keycloak operator to parameterize the Service annotations and labels
• #​28713 Temporarily Locked out users change the enabled flag of the user account/api
• #​28851 Support Syslog async properties dist/quarkus
• #​30227 Admin-UI: move PKCE Code Challenge Method setting from Advanced to Settings tab
• #​33978 Migration progress missing
• #​34160 Remove CACHE_EMBEDDED_REMOTE_STORE Feature
• #​35446 Ensure Client Initiated Account Linking behaves like other Application Initiated Actions authentication
• #​36635 Change User details page drop-down filter to make it easier to find the 'admin' role admin/ui
• #​37532 Remove user event types from admin UI is unusable admin/ui
• #​37716 Add ability for Quick Theme to import theme from a jar admin/ui
• #​37717 Quick Theme should allow naming the jar before download admin/ui
• #​38091 Add more validation for proxy-headers
• #​38228 Auto submit the "Organization Identity-First Login" form with pre-filled username field organizations
• #​38259 Enhance mapping from env variables to wildcards
• #​38262 Add `count` endpoint for organizations organizations
• #​38433 Make `ThemeManagerFactory` into a proper SPI so that it can be accessed/overridden core
• #​38496 Create CacheRemoteConfigProvider
• #​38497 Create CacheEmbeddedConfigProvider
• #​38578 Support Asynchronous logging
• #​38614 Improve Dutch translation for Theme base/login and base/email translations
• #​38620 Key generation for client authentication is always RSA 2048 with a 10-year validity, regardless of the selected algorithm authentication
• #​38621 Client secret generation provides lower than expected entropy authentication
• #​38649 Improve migration performance core
• #​38663 Access Token IDs have less than 128 bits of entropy core
• #​38714 Add feedback when user sync process is triggered in user federation
• #​38863 Allow logging of slow database operations
• #​38882 Upgrade command rolling updates for patch releases / step 1: experimental
• #​38883 Upgrade command rolling updates for patch releases / step 2: preview
• #​38956 Clarify upgrade instructions
• #​38981 Allow setting locale when edit mode is `READ_ONLY`
• #​38994 Make recovery codes supported authentication
• #​39057 Change the title for Grafana dashboards guide to plural docs
• #​39059 Document operator `Auto` update strategy when used with `podTemplate`
• #​39080 Standardize introductory text in Keycloak guides
• #​39136 Update LDAP configuration with a hint how to enable password hashing in ApacheDS
• #​39142 Make distribution startup timeout configurable testsuite
• #​39172 Add description to groups
• #​39191 Ability to skip AIA for adding WebAuthn security key in case that user already has one authentication
• #​39198 Better tooltip for Strategy to increase wait time in brute force settings
• #​39213 Polishing recovery codes authentication
• #​39214 Use required action configuration instead of password policy for warning threshold authentication
• #​39243 Should we improve metadata of recovery code credential? authentication
• #​39338 Keycloak Operator: TTL for KeycloakRealmImport jobs docs
• #​39405 Message bundle hot reloading
• #​39418 Clarify when to use podman docs
• #​39469 Fix Securing Apps links to adapters docs
• #​39486 Email server credentials can be harvested through host/port manipulation admin/api
• #​39541 Fix doc link to FGAP v1 docs
• #​39543 Apply edits to Operators Guide docs
• #​39544 Change discovery in Kubernetes to `jdbc-ping`
• #​39545 JGroups: Switch to "per-destination" bundler for `jdbc-ping`
• #​39563 Protocol `openid-connect` should be selected as default for ClientScopes oid4vc
• #​39572 Edit Observability Guide docs
• #​39587 Make slow SQL and SQL comment prefix configurable
• #​39590 Fix callouts in Operator guide docs
• #​39595 Build user representations when searching based on the user profile settings user-profile
• #​39617 OpenTelemetry Tracing: Spans as part of the "commit" should be nested dist/quarkus
• #​39619 OpenTelementry Tracing: Show calls within a rest resource as nested dist/quarkus
• #​39638 Sessions from Infinispan should be mapped lazily for the Admin UI
• #​39641 Return only manage permissions when listing users via administration console
• #​39651 Speed up Infinispan list of all sessions be more eagerly remove old client sessions
• #​39653 Pass notifications in batches to remote and local ISPN cache infinispan
• #​39665 When logging in, all client sessions are loaded which is slow oidc
• #​39670 Add re-authentication when updating email via UPDATE_EMAIL feature
• #​39723 Redirect request from wrong version to the right version
• #​39748 Docs: server_admin/topics/clients/oidc/proc-using-a-service-account.adoc oidc
• #​39761 Revise DPoP Codes - refactor retrieveDPoPHeaderIfPresent method oidc
• #​39817 Document that a shell wrapper must not start replace PID 1 in containers
• #​39826 Revise DPoP Codes - refactor remove unused methods oidc
• #​39855 Revise Client Policies Codes - AbstractClientPoliciesTest oidc
• #​39872 Improve JGroups network bind address documetion
• #​39885 Identity provider with FORCE sync mode does not detect verified email change identity-brokering
• #​39889 Revise Client Policies Codes - ClientPoliciesAdminTest oidc
• #​39891 Revise Client Policies Codes - ClientPoliciesConditionTest oidc
• #​39909 Add missing id attributes for button elements of keycloak.v2 login theme
• #​39962 Create a POC of running 2 containers in the new testsuite
• #​39965 Create test cases for OIDC flows
• #​39975 Make the checkbox "Sign out from other devices" unchecked by default authentication
• #​39980 Revise Client Policies Codes - ClientPoliciesExecutorTest oidc
• #​39982 Revise Client Policies Codes - ClientPoliciesExtendedEventTest oidc
• #​39987 Unnecessary boxing/unboxing to parse a primitive. SAST saml
• #​40012 Revise Client Policies Codes - ClientPoliciesLoadUpdateTest oidc
• #​40014 Revise Client Policies Codes - ClientPoliciesTest oidc
• #​40016 Revise Client Policies Codes - SecureRedirectUrisEnforcerExecutorTest oidc
• #​40022 Passkeys conditional UI: integration with the organization authenticator authentication/webauthn
• #​40023 Upgrade webauthn4j to a newer version authentication/webauthn
• #​40024 Throw an exception if transport mTLS keystore or Truststore does not exist
• #​40027 Unrelated Types. SAST
• #​40030 Potential thread safety Issue with lazy init of transformerFactory at TransformerUtil. SAST
• #​40034 Serialization issue in SAMLEntityAttributesParser - no void constructor in superclass. SAST
• #​40039 Abbreviate text in PKCE method configuration label in OIDC Client configuration admin/ui
• #​40050 Revise Client Policies Codes - OAuth 2.1 tests oidc
• #​40052 Revise Client Policies Codes - FAPI1Test oidc
• #​40054 Revise Client Policies Codes - FAPI2Test oidc
• #​40056 Revise Client Policies Codes - FAPICIBATest oidc
• #​40060 Sign of a bad copy/paste in logging of usserSessionLimitsAuthenticator authentication
• #​40108 Support more i18n keys for messages_ru.properties
• #​40129 Refactor the key value input so that it has an override for key and value component
• #​40165 Upgrade to Infinispan 15.0.15
• #​40166 Upgrade Aurora PostgreSQL to a supported release
• #​40188 Document security implications of Keycloak CR operator
• #​40191 Icon for default role should have a separator to the role name admin/ui
• #​40208 ServerInfo View in Admin-Console should show CPU information
• #​40233 Make `ProviderConfigurationBuilder` fail when a duplicate property is added.
• #​40336 Support all i18n keys for messages_ru.properties translations
• #​40419 Update links specs in OIDC guide docs
• #​40440 Add link to OIDC Discovery Spec in the documentation of the certs endpoint oidc
• #​40441 Add templates for release notes and migration guide docs
• #​40446 Review Profile makes users prone to phishing attacks authentication
• #​40448 add (ky )kyrgyz language support translations
• #​40472 Default to num_owners=2 when the persistent-user-sessions feature is disabled infinispan
• #​40487 Clarify OpenShift v4 Identity Provider instructions
• #​40489 When redirecting old resource versions, keep query parameters
• #​40533 Clarify FIPS instructions
• #​40564 Add clarifying language around jgroups failure detection ports
• #​40566 Synchronization of Polish language in login template translations
• #​40579 Add missing translations in email and account theme for Polish lang translations
• #​40639 Update documentation about volatile sessions
• #​40641 [docs] fix spelling error in hostname.adoc
• #​40705 Documentation for passkeys for 26.3.0 authentication
• #​40709 Update javadoc of java admin-client for Keycloak 26.3 admin/client-java
• #​40765 Make abstract class AbstractUserRoleMappingMapper public

Bugs

• #​27945 Passkey "Avoid same authenticator registration" doesn't work authentication/webauthn
• #​32600 OpenAPI spec: Missing attributes in ClientPolicyConditionRepresentation and ClientPolicyExecutorRepresentation schemas admin/api
• #​33078 account/ui spinner use patternfly v3 classes instead of patternfly v5 classes account/ui
• #​35266 Amazon Identity Provider does not accept scope = openid and Keycloak always sets it identity-brokering
• #​35278 Double click on social provider link causes page has expired error login/ui
• #​36150 wrong redirect after login timeout for parallel logins authentication
• #​36320 [Keycloak CI] - User Federation Tests - LDAPUserProfileTest.testMultipleLDAPProviders ci
• #​36396 "identity-provider-redirector" does not forward LOGIN_HINT of authentication session authentication
• #​36562 Social login - Instagram Login test fails, API changed ci
• #​36609 Keycloak container incorrectly read CGroups settings on Kernel 6.12 dist/quarkus
• #​36622 Login UI edit profile textarea doesn't have styles applied login/ui
• #​36986 Localization: when the user has forgotten the password, the email is sent in default language, instead of the selected one login/ui
• #​37202 Client scopes evaluate function shows sub claim in access token even if "basic" client scope is not selected admin/ui
• #​37269 External IDP error during Step-Up Authentication does no longer route back to browser flow authentication
• #​37447 account-console no longer provides nonce/state parameter account/ui
• #​37490 [Keycloak CI] - Quarkus IT (windows-latest, win) - QuarkusPropertiesDistTest ci
• #​37526 Unexpected Application Initiated Actions Cause Server Errors authentication
• #​37537 LDAP group mapper skips configured filter and imports all groups with memberOf strategy when fetching the user's groups ldap
• #​37555 User Federation: Remove imported users modal has wrong text admin/ui
• #​37559 Linking user in different browser doesn't work if original window/tab is closed identity-brokering
• #​37598 Realm context uses route and can't be used in libary admin/ui
• #​37648 User Attribute option of SAML "User Attribute Mapper for NameID" should be required admin/ui
• #​37720 MSADUserAccountControlStorageMapper attempts to persist a userAccountControl value of 0 on user create, resulting in LDAP error and incomplete user provisioning ldap
• #​37899 User email not registered when user has not the permission to edit his email core
• #​38049 Upload of JKS keystore fails with a server error admin/ui
• #​38104 Temporary failure in name resolution with nip.io ci
• #​38145 Unknown error on authentication-flow delete action admin/ui
• #​38161 RawKeycloakDistribution exit code is always 0 testsuite
• #​38251 Importing a realm from a directory fail if the realm contain organizations with users. import-export
• #​38351 Mail settings can't be provided via environment variables testsuite
• #​38382 Disable user row if not allowed to delete admin/ui
• #​38458 [FGAP] [UI] Permission search doesn't execute correct consequent search request admin/fine-grained-permissions
• #​38482 SAML client certificate not persisted admin/ui
• #​38487 [Keycloak Operator CI] - Test remote (slow) - UpdateTest.testExplicitStrategy ci
• #​38542 JWK Subtypes fail when mapping JWK to PublicKey core
• #​38602 Keycloak fails to start on MySQL Cluster due to missing primary key in databasechangelog dist/quarkus
• #​38616 Fix alignment of the 'Action' selectbox with the 'Enabled' switch for User federation admin/ui
• #​38660 Ldap federation seems to open and keep open a new thread/connection for each ldap request ldap
• #​38662 Update commands trigger build checks dist/quarkus
• #​38671 Duplicate Key Violation When Reauthenticating After Account Deletion via Google identity-brokering
• #​38676 Dropdown search input is not cleared after selecting with mouse admin/ui
• #​38692 Test coverage for count menthods when filtering admin/fine-grained-permissions
• #​38703 Password Policy Changes get overwritten in the UI admin/ui
• #​38757 Keycloak statefulset is not mapped to any headless service if installed via operator operator
• #​38767 Make group required when selecting a specific group creating a premission admin/ui
• #​38783 `content.json`'s isVisible flags are ignored in `Root.tsx`'s `mapRoutes` function, which makes the pages still accessible account/ui
• #​38789 [Keycloak JS CI] Admin UI E2E tests on Firefox have failures ci
• #​38799 Kerberos principal attribute value "comes back" when cleared. admin/ui
• #​38801 Building docker image of keycloak with curl using 2 stage process hangs docs
• #​38812 Test failures in CI in Chrome tests ci
• #​38846 StatefulSet reconciliation infinitely looping operator
• #​38850 Changing a password with the option log out all other sessions doesn't log out offline sessions core
• #​38852 [Organization] Failed authentication (ModelDuplicateException) when e-mail duplicates are allowed on the realm organizations
• #​38873 Client Credentials tab : "Allow regex pattern comparison" toggle is always "On" on page load admin/ui
• #​38893 Multi-stage docker builds fail --optimized validation dist/quarkus
• #​38910 Bug: Hosted Domain Validation Logic Issue in Keycloak Google Identity Provider identity-brokering
• #​38911 Filtering of user- and admin-events by dateTo always returns empty results admin/api
• #​38913 [FGAP] AvailableRoleMappings do not consider all-clients permissions admin/fine-grained-permissions
• #​38918 IPv6 support: Broker tests failing with proxy configuration ci
• #​38920 Downstream docs have duplicate ID on sampling docs
• #​38925 Blocking issue with increasing JVM thread count after migrating from 26.0.8 to 26.1.4 infinispan
• #​38929 Permission details sometimes don't show the name of the client admin/fine-grained-permissions
• #​38930 [Docs] Broken link in ExternalLinksTest for importmap docs
• #​38932 Home button always redirects to master realm when permission denied admin/ui
• #​38934 UI: Readonly/disabled profile form input fields are visually indistinguishable from active fields account/ui
• #​38937 Liquibase checksum mismatch when upgrading from Keycloak ≤ 22.0.4 directly to 26.2.x storage
• #​38938 Missing null checks in IdentityProviderResource lead to NPE admin/api
• #​38944 Admin UI test "Enable user events" breaks as event metadata has changed admin/ui
• #​38964 [26.2.3/26.1.5] Regression: ClientList value is empty in UI for Custom UserStorageProviderFactory admin/ui
• #​38970 Authentication request can fail with `unknown_error` authentication
• #​38982 JpaRealmProvider getGroupByName return group duplicate due to change of comparison (like vs equal) ldap
• #​39015 Keycloak operator with update strategy to Auto: missing imagePullSecrets operator
• #​39021 After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp value oidc
• #​39022 Setting batch size to 0 in LDAP provider with pagination enabled leads to NPE ldap
• #​39023 Keycloak 26.2.0 UI Performance Degradation admin/ui
• #​39026 Fine-grained-permssion v2 Display problem admin/fine-grained-permissions
• #​39037 UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope oidc
• #​39046 Keycloak 26.2.0 can't authenticate to the H2 database after the upgrade core
• #​39055 After import of keys an export doesn't include these values admin/ui
• #​39061 Missing iteration key property in SigningIn Page account/ui
• #​39063 Optimized startup fails from `kc.spi-connections-http-client-default-expect-continue-enabled` passed at runtime dist/quarkus
• #​39065 Issue with SSL and `CertificatereloadManager` in Keycloak 26.2 when using Istio infinispan
• #​39085 Redirects to admin endpoint 404s on hostname-admin / request scheme mismatch core
• #​39096 Release note 26.2.0 has broken link docs
• #​39110 jwks_uri endpoint returns content-type as "application/json" instead of "application/jwk+json" or "application/jwk-set+json" oidc
• #​39119 Evaluate client scopes can corrupt UI completely admin/ui
• #​39124 [Operator CI] - Test remote (slow) ci
• #​39125 [Keycloak CI] - FIPS UT - Run crypto tests ci
• #​39130 Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc
• #​39144 Getting Started Podman: We are sorry... HTTPS required docs
• #​39146 [FGAP] [UI] Searching for permissions doesn't allow to search for all group permissions admin/fine-grained-permissions
• #​39150 Evaluation should consider roles granted to the user admin/fine-grained-permissions
• #​39156 Quick theme: logo is undefined if not set admin/ui
• #​39157 [quarkus-next] TestEngine with ID 'junit-jupiter' failed to discover tests dist/quarkus
• #​39173 duplicate key value violates unique constraint "constraint_offl_cl_ses_pk3" infinispan
• #​39179 Uncaught server error during organization update when name already exists organizations
• #​39180 Groups view: Filter/search bar disappears and groups not shown after clearing empty search results admin/ui
• #​39182 Oracle driver problems in keycloak 26.2.1 dependencies
• #​39187 Account console: defaultLocale item in select locale field account/ui
• #​39206 Wrong UDP jgroups metric name docs
• #​39219 Serverinfo response grows over time admin/api
• #​39227 Quarkus devtools dependencies in 26.2.x dependencies
• #​39237 Deletion of a role is slow when when there are a lot of roles in the database core
• #​39246 Duplicate user entries when searching custom attributes core
• #​39259 Admin E2E tests ignores `RETRY_COUNT` environment variable admin/ui
• #​39262 Keycloak does not take into account value request parameter in the claims request for acr claim authentication
• #​39264 [OID4VCI] Documentation Errors docs
• #​39267 Avoid a NPE at org.keycloak.email.freemarker.beans.ProfileBean#getOrganizations when feature "organization" is disabled organizations
• #​39274 Aurora DB should not update automatically to the latest minor version ci
• #​39296 Inconsistent "grant_types" vs "grantTypes" Naming Causes GrantTypeCondition to Always Fail core
• #​39312 SLO measurement should mention a month as a period docs
• #​39336 Tests failing with embedded undertow due the infinispan testsuite
• #​39345 Ghost user entries in database from ldap causes import errors ldap
• #​39349 CVE-2025-3910 Two factor authentication bypass
• #​39350 CVE-2025-3501 Keycloak hostname verification
• #​39358 Aggregated policy: Cannot select policies that do not appear in the drop-down list admin/ui
• #​39402 Client Scope with mapper Organization Membership - claim disappears as soon as user is member of more than one Organisation organizations
• #​39403 Client Scope with mapper Organization Membership - organizations claim disappears when Include in token scope is off organizations
• #​39429 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionsAtRandomNode ci
• #​39442 Non-closing HTML tag in footer example docs
• #​39450 quarkus runtime options are treated as buildtime options dist/quarkus
• #​39454 JGroups errors when running a containerized Keycloak in Strict FIPS mode and with Istio infinispan
• #​39457 Typos in French login and email messages templates translations
• #​39465 Scheduled Task cannot access realm when feature fpap:v2 is active, but realm has it not configured admin/fine-grained-permissions
• #​39485 Inconsistent "Forgot Password" behavior reveals user account information login/ui
• #​39487 Incorrect tooltip over enabled features admin/ui
• Mend Renovate. View the repository job log.