- Issued:
- 2026-06-25
- Updated:
- 2026-06-25
RHSA-2026:30084 - Security Advisory
Synopsis
Important: Red Hat build of Keycloak 26.6.4 Images Security Update
Type/Severity
Security Advisory: Important
Topic
New images are available for Red Hat build of Keycloak 26.6.4 and
Red Hat build of Keycloak 26.6.4 Operator, running on OpenShift
Container Platform
Description
Red Hat build of Keycloak is an integrated sign-on solution,
available as a Red Hat JBoss Middleware for OpenShift containerized
image. The Red Hat build of Keycloak for OpenShift image provides
an authentication server that you can use to log in centrally, log
out, and register. You can also manage user accounts for web
applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies
deployment and management of Keycloak 26.6.4 clusters.
This erratum releases new images for Red Hat build of Keycloak
26.6.4 for use within the OpenShift Container Platform cloud
computing Platform-as-a-Service (PaaS) for on-premise or private
cloud deployments, aligning with the standalone product release.
Security fixes:
- Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)
- Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)
- eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)
- Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)
- Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)
- Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)
- Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)
- Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)
- Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)
- Information disclosure due to user profile permission bypass (CVE-2026-9088)
- Group-Admin Escalation to Realm-Admin (CVE-2026-9099)
- Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)
- Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)
- Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)
- Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)
- Information disclosure via SAML ECP endpoint (CVE-2026-9794)
- Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)
- Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)
- Authorization bypass via incorrect URI comparison (CVE-2026-9800)
- Denial of Service via malformed LDAP password policy response (CVE-2026-9801)
- Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)
- Denial of Service via malformed Authorization header (CVE-2026-9803)
Solution
Before applying the update, back up your existing installation,
including all applications, configuration files, databases and
database settings, and so on.
Affected Products
- Red Hat build of Keycloak Text-only Advisories x86_64
Fixes
(none)CVEs
aarch64
| rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3 |
| rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592 |
ppc64le
| rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11 |
| rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed |
s390x
| rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e |
| rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94 |
x86_64
| rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec |
| rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b |
| rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.