fix(deps): update keycloakversion to v26.5.7

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.keycloak:keycloak-services (source)	26.5.4 → 26.5.7
org.keycloak:keycloak-saml-core (source)	26.5.4 → 26.5.7

---

Release Notes

keycloak/keycloak (org.keycloak:keycloak-services)

v26.5.7

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #​45493 CVE-2025-14083 keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure admin/api
• #​45569 CVE-2026-1002 - io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files
• #​47069 CVE-2026-3429 Improper Access Control for LoA During Credential Deletion account/api
• #​47716 CVE-2026-4634 Keycloak Application-Level DoS via Scope Processing
• #​47717 CVE-2026-4636 UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
• #​47718 CVE-2026-3872 Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
• #​47719 CVE-2026-4282 Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

Enhancements

• #​46631 Upgrade to Quarkus 3.27.3 dist/quarkus

Bugs

• #​45204 Call without Host header throws uncaught error core

v26.5.6

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #​45645 CVE-2026-1180 - Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri oidc
• #​45647 CVE-2026-1035 - Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition oidc
• #​45650 CVE-2025-14777 - Keycloak IDOR in realm client creating/deleting
• #​45653 CVE-2025-14082 keycloak-server: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure
• #​46719 CVE-2026-3121 - Keycloak: Privilege escalation via manage-clients permission
• #​46723 CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API core
• #​46922 CVE-2026-3911 Keycloak: Information disclosure of disabled user attributes via administrative endpoint user-profile
• #​47062 CVE-2026-2366 Authorization Bypass: Unprivileged tokens can enumerate user organization memberships organizations

Bugs

• #​45889 Federated user disabled when external DB unavailable, never re-enabled storage
• #​46239 AUTH_SESSION_ID cookie reuse causes cross-user session contamination on re-authentication authentication
• #​46296 UsersResource.search briefRepresentation started to return user attributes admin/api
• #​46379 Unexpected error when logging out with offline session and external IDP oidc
• #​46459 Operator-built DB config: targetServerType=primary not applied / connection validation not working after master-replica failover (26.5.0) operator
• #​46588 Partial LDAP sync duration does not follow the defined value in user federation ldap
• #​46605 26.5.4 startup regression with many realms: RealmCacheSession.prepareCachedRealm() scans master admin role composites per realm (O(N²)) core
• #​46656 Em-Hyphens in SPI options on cache configuration page docs
• #​46663 JGroups bind port configuration ignored when --cache-embedded-network-bind-port set infinispan
• #​46669 SPIFFE Client assertion throws a NullPointerException if no client is found token-exchange
• #​47079 Do not allow fetching organizations of a member if not a member of the current organization organizations

v26.5.5

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #​46909 CVE-2026-3047 SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login
• #​46910 CVE-2026-3009 Improper Enforcement of Disabled Identity Provider in IdentityBrokerService
• #​46911 CVE-2026-2603 Disabled SAML IdP still allows IdP-initiated broker login
• #​46912 CVE-2026-2092 saml broker encrypted assertion injection

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.