Issued:

2026-02-09

Updated:

2026-02-09

RHSA-2026:2365 - Important: Red Hat build of Keycloak 26.4.9 Security Update

Synopsis

Important: Red Hat build of Keycloak 26.4.9 Security Update

Type/Severity

Security Advisory Important

Topic

New Red Hat build of Keycloak 26.4.9 packages are available from the Customer Portal

Description

Red Hat build of Keycloak 26.4.9 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

Security fixes:

• Unauthorized organization registration via improper invitation token validation (CVE-2026-1529)
• Disabled identity providers are still accepted for JWT Authorization Grant (CVE-2026-1486)
• Incorrect ownership checks in /uma-policy/ (CVE-2025-14778)
• Unauthorized modification of unmanaged user attributes by administrators (CVE-2026-0871)
• keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users (CVE-2025-14559)
• Limited administrator can retrieve sensitive user attributes via Admin API (CVE-2025-13881)

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Affected Products

Fixes

(none)

CVEs

• CVE-2025-13881
• CVE-2025-14559
• CVE-2025-14778
• CVE-2026-0871
• CVE-2026-1486
• CVE-2026-1529

References

• https://access.redhat.com/security/updates/classification/#important

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.