X min read
Table of contents

If you're reading this, it's most likely because you've been through several security upgrade operations on your Keycloak environments over the past few months. For many of you, that already represents more operations in 5 months than across the whole of 2025. A third campaign is underway as I write this post in May 2026.
A few thoughts I wanted to share with you, outside of any urgency: what's happening across the identity and access management landscape today, what we're absorbing on your behalf, and what's changing right now so this load stays off your team's shoulders.
Identity has become target number one. NIST and CISA confirmed this in late 2025 with their joint report Protecting Tokens and Assertions from Forgery, Theft, and Misuse, published after a series of major incidents targeting the identity systems of large organizations. On the European side, ENISA reaches the same conclusion in its Threat Landscape 2025: user identity has become the primary security perimeter. When IAM falls, everything falls with it, and attackers understood this before many organizations did.
Keycloak sits at the heart of this front line. As a de facto standard for open-source IAM, it is under constant scrutiny from security researchers, large enterprises running it at scale, and now AI-powered code analysis agents. This isn't speculative: in 2025 alone, GitHub published 35% more CVEs than the year before, and Daniel Stenberg, the creator of curl, has documented the evolution of AI-related submissions on his own project: 2 cases in 2023, 6 in 2024, 37 in 2025. The result is a steady stream of identified and patched vulnerabilities. This is neither a drift nor a warning signal, it is the signature of a project that is alive, where every flaw discovered is a flaw disclosed and patched. We are grateful to the Keycloak maintainers for the rigour and consistency of their work.
What this means for you: securing Keycloak in 2026 is no longer a once-a-year sprint. It's a continuous practice. And it's precisely why many of our customers chose to join us, to ensure continuous security, and to be supported at every operation.
When an upgrade operation is scheduled on your side, it's the visible tip of work that started several days before, or several hours, for critical cases.
Concretely, our technical team qualifies CVEs one by one and analyses the attack vectors applicable to each type of deployment. It then tests the target version in validation, then in pre-production, then in production. Next comes regression validation, not only on Keycloak itself, but also on every operation inherent to the managed service: backup, rolling upgrade, installation, restoration, and everything that makes up the daily mechanics of your environment. In parallel, maintenance windows are planned and communications tailored according to impacted client profiles.
That's what you don't see, and it's precisely what turns an industry-wide challenge into a framed operation on your side, with a remediation plan already validated.
Two building blocks are currently being rolled out by our technical teams across all environments, with progressive activation by the end of Q2, 2026. You'll see them appear in your console over the coming weeks.
EMS introduces automated release validation: every time a new extension release is submitted to the platform, we test its startup with Keycloak to make sure the update won't break your service. The validation ensures your release starts cleanly with Keycloak. Learn more about the scope.
In practice: half of the situations where a CVE operation used to be blocked at startup because we didn't know whether your extension would survive the upgrade, simply disappear. All you have to do is verify that your code behaves as expected.
You're fully in control. From the console, you choose the exact moment when the upgrade is triggered, within the ISO 27001 timeframe we hold ourselves to. A Thursday after your sprint, impossible during the day? Schedule the operation for the night. You decide, and you keep your hands on your own planning.
Additional enhancements are on the way. I'll tell you about them when they're ready, not before.
I'm not going to promise you there will be no more CVE operations. There will be, that's the nature of running a modern identity infrastructure. But with each operation, I want you to see and feel concretely that the friction is decreasing.
If you have any friction, frustration, or ideas to make securing your Keycloak environment easier, I'm here and available. Reach out to me directly or through support, your feedback always reaches me. I'll make time to understand your constraints and to let them shape the product.
With every step we take together, we improve the way your Keycloak IAM stack is managed.