Red Hat Product Errata RHSA-2026:19595 - Security Advisory Issued: 2026-05-20 Updated: 2026-05-20 RHSA-2026:19595 - Security Advisory Overview Updated Images Synopsis Important: Red Hat build of Keycloak 26.2.16 Images Security Update Type/Severity Security Advisory: Important Topic New images are available for Red Hat build of Keycloak 26.2.16 and Red Hat build of Keycloak 26.2.16 Operator, running on OpenShift Container Platform Description Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services. Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.2.16 clusters. This erratum releases new images for Red Hat build of Keycloak 26.2.16 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release. Security fixes: Denial of Service via specially crafted SAML input (CVE-2026-7307) Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507) Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504) Solution Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Affected Products Red Hat build of Keycloak Text-only Advisories x86_64 Fixes (none) CVEs CVE-2026-4878 CVE-2026-7307 CVE-2026-7504 CVE-2026-7507 References https://access.redhat.com/security/updates/classification/#important aarch64 rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5 ppc64le rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175 s390x rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86 rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914 x86_64 rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3 rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .