- Issued:
- 2026-02-09
- Updated:
- 2026-02-09
RHSA-2026:2365 - Security Advisory
Synopsis
Important: Red Hat build of Keycloak 26.4.9 Security Update
Type/Severity
Security Advisory: Important
Topic
New Red Hat build of Keycloak 26.4.9 packages are available from the Customer Portal
Description
Red Hat build of Keycloak 26.4.9 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security fixes:
- Unauthorized organization registration via improper invitation token validation (CVE-2026-1529)
- Disabled identity providers are still accepted for JWT Authorization Grant (CVE-2026-1486)
- Incorrect ownership checks in /uma-policy/ (CVE-2025-14778)
- Unauthorized modification of unmanaged user attributes by administrators (CVE-2026-0871)
- keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users (CVE-2025-14559)
- Limited administrator can retrieve sensitive user attributes via Admin API (CVE-2025-13881)
Solution
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
Affected Products
- Red Hat build of Keycloak Text-only Advisories x86_64
Fixes
(none)The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
