fix(deps): update dependency @keycloak/keycloak-admin-client to v26.5.6 [security]

[backstage-goalie]

This PR contains the following updates:

Package	Change	Age	Confidence
@keycloak/keycloak-admin-client (source)	26.5.4 → 26.5.6

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Keycloak vulnerable to authorization bypass via the Admin API

CVE-2026-2366 / GHSA-r8jr-wg88-fq5c

More information

Details

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.

Severity

• CVSS Score: 3.1 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-2366
• https://github.com/keycloak/keycloak/issues/47062
• https://access.redhat.com/security/cve/CVE-2026-2366
• https://bugzilla.redhat.com/show_bug.cgi?id=2439081
• https://github.com/keycloak/keycloak

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

keycloak/keycloak (@​keycloak/keycloak-admin-client)

v26.5.6

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #​45645 CVE-2026-1180 - Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri oidc
• #​45647 CVE-2026-1035 - Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition oidc
• #​45650 CVE-2025-14777 - Keycloak IDOR in realm client creating/deleting
• #​45653 CVE-2025-14082 keycloak-server: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure
• #​46719 CVE-2026-3121 - Keycloak: Privilege escalation via manage-clients permission
• #​46723 CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API core
• #​46922 CVE-2026-3911 Keycloak: Information disclosure of disabled user attributes via administrative endpoint user-profile
• #​47062 CVE-2026-2366 Authorization Bypass: Unprivileged tokens can enumerate user organization memberships organizations

Bugs

• #​45889 Federated user disabled when external DB unavailable, never re-enabled storage
• #​46239 AUTH_SESSION_ID cookie reuse causes cross-user session contamination on re-authentication authentication
• #​46296 UsersResource.search briefRepresentation started to return user attributes admin/api
• #​46379 Unexpected error when logging out with offline session and external IDP oidc
• #​46459 Operator-built DB config: targetServerType=primary not applied / connection validation not working after master-replica failover (26.5.0) operator
• #​46588 Partial LDAP sync duration does not follow the defined value in user federation ldap
• #​46605 26.5.4 startup regression with many realms: RealmCacheSession.prepareCachedRealm() scans master admin role composites per realm (O(N²)) core
• #​46656 Em-Hyphens in SPI options on cache configuration page docs
• #​46663 JGroups bind port configuration ignored when --cache-embedded-network-bind-port set infinispan
• #​46669 SPIFFE Client assertion throws a NullPointerException if no client is found token-exchange
• #​47079 Do not allow fetching organizations of a member if not a member of the current organization organizations

v26.5.5

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #​46909 CVE-2026-3047 SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login
• #​46910 CVE-2026-3009 Improper Enforcement of Disabled Identity Provider in IdentityBrokerService
• #​46911 CVE-2026-2603 Disabled SAML IdP still allows IdP-initiated broker login
• #​46912 CVE-2026-2092 saml broker encrypted assertion injection

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[backstage-goalie]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@backstage-community/plugin-catalog-backend-module-keycloak	workspaces/keycloak/plugins/catalog-backend-module-keycloak	patch	v3.17.2