Last checked and updated on April 19, 2026What Is New in Keycloak 26.3
This release delivers critical security patches, significant performance tuning for OpenID Connect, and a host of enhancements to the admin experience and underlying infrastructure.
| Category | Highlights |
|---|---|
| Security | Patches for CVE-2025-5316 and CVE-2025-5317; New script mapper for client scopes |
| OpenID Connect | OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) support; Backchannel logout performance fix |
| Admin Experience | Client policies UI; New admin events for user session actions; Help text improvements |
| Infrastructure & Core | Preview of new storage layer; Health check metrics; Jakarta EE 10 support |
| Deprecations & Removals | Legacy store deprecated; JavaScript policy support removed |
What security vulnerabilities were patched in 26.3?
Keycloak 26.3 addresses two important CVEs. CVE-2025-5316 is a medium-severity issue where a malicious actor could potentially change a victim's email address under specific conditions. CVE-2025-5317 fixes a problem in the SAML protocol where a wrong audience condition could allow a token to be used with an unintended service provider.
In practice, you should prioritize upgrading if you use SAML extensively or have strict requirements around email verification flows. These patches are a direct response to community findings and are part of the project's ongoing security maintenance.
How does DPoP improve OAuth 2.0 security?
This release adds support for OAuth 2.0 Demonstrating Proof-of-Possession (DPoP), a major security enhancement for public clients. DPoP binds an access token to a specific client, making it useless even if intercepted by an attacker.
This matters because it mitigates the risk of token theft from single-page applications (SPAs) and mobile apps. Instead of a bearer token that anyone can use, you now have a token that requires cryptographic proof from the original client. The implementation includes support for the new dpop_jkt parameter in the authorization request.
What admin UI improvements should I know about?
The Client Policies UI is now fully available, moving out of preview. This lets you visually define and manage complex rules for client registration and authentication without manual JSON configuration.
You also get better auditing capabilities. Admin events are now logged for actions on user sessions, like listing or deleting sessions. Small but helpful UI text clarifications have been added throughout the admin console to reduce configuration errors.
Is the new storage layer ready for production?
The new storage layer is available as a preview in this release, meaning it's not yet recommended for production workloads. This is a foundational change aimed at simplifying the codebase and improving long-term performance and scalability.
You can enable it with a feature flag (--features=preview-new-store) to start testing. This is a big deal for the project's future, but for now, stick with the current store for any serious deployment until it matures.
What was deprecated or removed in this version?
The legacy store subsystem is now officially deprecated and will be removed in a future release. JavaScript-based policies have been completely removed due to security concerns, so you must migrate any existing scripts to the new JavaScript-based authenticator or other policy types.
This cleanup is part of the project's move towards a more secure and maintainable architecture. If you're still using the old JavaScript policies, your upgrade will break, so check your configuration first.
FAQ
I use JavaScript policies. Will my upgrade break?
Yes. JavaScript policy support was completely removed. You must migrate your logic to the new JavaScript-based authenticator before upgrading to 26.3.
What's the most critical reason to upgrade immediately?
The security patches for CVE-2025-5316 and CVE-2025-5317. If you use SAML or are concerned about email hijacking, you should upgrade as soon as possible.
Can I use DPoP with my existing SPA?
Yes, but it requires client-side changes to generate the required cryptographic proof. You'll need to update your client application's code to implement the DPoP specification.
Is the new storage layer a drop-in replacement?
No, it's a preview and its API is not yet stable. It's intended for testing and feedback, not for production use. Do not enable it on your live realm.
Where can I find the detailed technical changelog?
The full list of changes, including all pull requests, is available on the GitHub release page.