keycloak/keycloak 26.5.3 Release Notes

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #46144 CVE-2026-1609 Disabled users can still obtain tokens via JWT Authorization Grant
• #46145 CVE-2026-1529 Forged invitation JWT enables cross-organization self-registration
• #46146 CVE-2026-1486 Logic Bypass in JWT Authorization Grant Allows Authentication via Disabled Identity Providers
• #46147 CVE-2025-14778 Incorrect ownership checks in /uma-policy/

Enhancements

• #45892 Upgrade minikube for CI tests operator

Bugs

• #44379 Node.js admin client does not refresh tokens admin/client-js
• #45459 k8s multiple restart (oomkilled) in v26.5.0-0 during startup because of RAM dist/quarkus
• #45662 Increase in startup memory consumption in post 26.5 versions dist/quarkus
• #45677 Hibernate Validator is enabled by default when not used dist/quarkus
• #45708 Unpexted value '' in mixed-cluster-compatibility-tests testsuite
• #45745 mixed-cluster-compatibility-tests fail due to incorrectly masked content in 26.5 branch ci
• #45755 Broken YAML indentation in operator rolling updates doc docs
• #45780 Remove fatal log messages from `ConsistentHash`