Update dependency @keycloak/keycloak-admin-client to v26.6.3 by backstage-goalie[bot] · Pull Request #9210 · backstage/community-plugins

backstage-goalie · 2026-05-26T13:01:29Z

This PR contains the following updates:

Package	Change	Age	Confidence
@keycloak/keycloak-admin-client (source)	`26.6.1` → `26.6.3`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

keycloak/keycloak (@keycloak/keycloak-admin-client)

`v26.6.3`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#47707 CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names account/ui
#47935 [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation oidc
#48036 [CVE-2026-37977] CORS Access-Control-Allow-Origin reflected from unverified JWT azp claim on UMA token endpoint authorization-services
#48709 [CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled account/api
#48805 CVE-2026-42581 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
#49118 [CVE-2026-8922] OIDC token introspection ignores realm-level notBefore when client-level notBefore is set oidc
#49133 [CVE-2026-8830] Missing server-side WebAuthn validations during credential registration authentication/webauthn
#49174 [CVE-2026-9088] Group Members Endpoint Bypasses User Profile Permissions admin/fine-grained-permissions
#49175 [CVE-2026-9087] Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login identity-brokering
#49426 [CVE-2026-9802] Server restart resets startupTime, allowing reuse of rotated refresh tokens when revokeRefreshToken=true oidc
#49428 [CVE-2026-9794] SAML ECP faultstring discloses client existence and configuration state saml
#49431 [CVE-2026-9791] Organization data exposed in tokens and account API when Organizations feature is disabled at realm level organizations
#49433 [CVE-2026-0707] ClientRegistrationAuth DoS via malformed Authorization header (CVE-2026-0707 incomplete fix) admin/api
#49434 [CVE-2026-9801] DoS in LDAP federation via malformed PasswordPolicyControl ldap
#49435 [CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange oidc
#49436 [CVE-2026-9792] ROPC grant bypass in client policy enforcement oidc

Weaknesses

#48978 UNSAFE_PATH_PATTERN regex to cover percent-encoded terminators and control characters oidc
#48986 Authorization Services: NullPointerException in UMA permission grant when stale permission ticket references removed scope authorization-services
#48987 Account API: Resource sharing endpoints ignore userManagedAccessAllowed realm setting authorization-services
#49086 Account resource sharing resolves recipient by username before email, granting access to wrong user authorization-services

Enhancements

#48311 Upgrade to Quarkus 3.33.2 dist/quarkus
#48695 Add startup check for missing database indexes
#49148 Add SPI option to disable FD_SOCK2 failure detection
#49526 Update to simple-git 3.36.0
#49530 Update to uuid >=13.0.1

Bugs

#45957 Handling of CORS requests in the Admin UI ineffective / open for CSRF admin/ui
#47036 Account ResourceService user endpoint returns excessive user data in UMA-enabled realms core
#48324 UMA IS_ADMIN filter breaks ticket finding authorization-services
#48430 Wildcard redirect URI matching does not enforce host boundary when * is placed directly after hostname oidc
#48432 ClientAdapter using wrong value for isFrontChannelLogout oidc
#48438 Keycloak 26.6.0/26.6.1 exits (code 1) ~100ms after async realm migration completes; migrations not persisted core
#48455 ContextNotActiveException during error handling core
#48464 Incomplete SCIM schema definition for objects scim
#48529 Broken downstream docs formatting on Kubernetes topic docs
#48584 Updating Keycloak to 26.6.x fails on SQL Server with case sensitive collation core
#48628 Client registerNode and unregisterNode endpoints fail authenticating the client core
#48681 ExternalLinksTest: oasis-open.org/standard/saml/ returns 403 in CI causing flaky documentation check ci
#48716 Missing index IDX_IDP_FOR_LOGIN and IDX_CLIENT_ATT_BY_NAME_VALUE for Microsoft SQL Server core
#48744 Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication authentication
#48792 Virtual Thread checking is not working infinispan
#48806 NPE when accessing Account UI and the ACCOUNT feature is disabled account/api
#48877 Keycloak 26.6.1 does not persist UPDATE_PASSWORD for LDAP/AD federated users after temporary password reset ldap
#48904 Consistent 500 on DELETE of realms via non-browser clients calling REST API admin/api
#49058 Keycloak fails to run tests with embedded undertow dist/quarkus
#49140 Workflows documentation: offboarding example is incorrectly enclosing the list of revoked roles with double quotes workflows
#49149 Disable single thread sender in JGroups infinispan
#49151 FIPS jobs fail in CI because java-25-openjdk-devel package is missing testsuite
#49163 Enable JGroups message stats infinispan
#49194 Use Java 25 again for FIPS jobs testsuite
#49222 Incorrect link to Themes documentation docs
#49224 Broken links in UI Customization Guide docs
#49263 Use the PostgreSQL driver privacy option `logServerErrorDetail` dist/quarkus
#49265 Since Hibernate 7, the workaround to not log-and-throw Hibernate errors does not longer work dist/quarkus
#49274 JavaScript CI hangs when installing playwright testsuite
#49288 Link issue in the documentation for https://www.rfc-editor.org/rfc/rfc7662 docs
#49356 SAML async processing leaves a dangling threadlocal transaction dist/quarkus
#49611 Realm extensions require Bearer or Drop authorisation admin/api

`v26.6.2`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#47485 CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service
#47486 CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing
#47932 [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters authorization-services
#48049 [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler organizations
#48275 CVE-2026-5588 Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules core
#48388 [CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration authentication/webauthn
#48570 [CVE‐2026‐0636, CVE‐2026‐3505, CVE‐2026‐5598] Multiple bouncycastle CVEs core
#49108 [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint
#49109 [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak
#49110 [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data
#49111 [CVE-2026-7507] Session fixation in OIDC login flow leading to account takeover
#49112 [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account
#49113 [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens
#49114 [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission
#49115 [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access)
#49116 [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration

Enhancements

#47728 Monitor backups for CNPG - describe how to monitor it in the CNPG for backups installation guide
#47734 Add dedicated "Monitoring Standbys" section to the general installation documentation
#48329 JDBC_PING in 26.6 should not fail with 26.7 schema changes
#48348 Escape expressions in JS blocks in FTL pages
#48687 Upgrade to Quarkus 3.33.1.1

Bugs

#38526 Duplicate user attribute values cannot be removed core
#40602 Account UI reports "Something went wrong" when opening an unknown path account/ui
#47882 Broken link in deploy-cnpg docs
#47901 Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled admin/fine-grained-permissions
#47915 FreeMarker templates allow instantiation of new objects and even running OS commands login/ui
#47987 FGAP v2 Specific Group permission has no scopes found in resource admin/fine-grained-permissions
#48030 Update to operator version 26.6.0 needs deletion of all objects operator
#48040 User session limit generates fatal error authentication
#48094 Wrong referenced resource type in Workflow handling for clients core
#48123 Clarify canonicalization in X.509 authentication authentication
#48143 Ordering of permission and policy calls leads to exposure of a client ID admin/api
#48185 Deleted workflow still attempting to run workflows
#48241 JavaScript Injection in frontchannel-logout.ftl via frontchannel-logout.title authentication
#48259 Kubernetes identity providers docs still mention it to be a preview feature docs
#48313 No escape approach for JS code inside the front channel logout FTL login/ui
#48536 Review migration guide for rolling updates changes workflows
#48629 WindowsServiceDistTest.testServiceLifecycle fails on slower runners due to insufficient startup timeout ci

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot