keycloak · ahus1 · May 19, 2026 · May 19, 2026 · May 19, 2026
diff --git a/cache/releases/keycloak/26.6.2/changelog.json b/cache/releases/keycloak/26.6.2/changelog.json
@@ -1,74 +1,4 @@
 [ {
-  "number" : 381,
-  "repository" : "keycloak-private",
-  "title" : "[CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration / #YWH-PGM40475-168",
-  "kind" : "cve",
-  "area" : "authorization-services",
-  "url" : "https://github.com/keycloak/keycloak-private/issues/381"
-}, {
-  "number" : 392,
-  "repository" : "keycloak-private",
-  "title" : "[CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access) / #YWH-PGM40475-113",
-  "kind" : "cve",
-  "area" : "authorization-services",
-  "url" : "https://github.com/keycloak/keycloak-private/issues/392"
-}, {
-  "number" : 407,
-  "repository" : "keycloak-private",
-  "title" : "[CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission #YWH-PGM40475-171",
-  "kind" : "cve",
-  "area" : "admin/rbac",
-  "url" : "https://github.com/keycloak/keycloak-private/issues/407"
-}, {
-  "number" : 427,
-  "repository" : "keycloak-private",
-  "title" : "[CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens / #YWH-PGM40475-220",
-  "kind" : "cve",
-  "area" : "oidc",
-  "url" : "https://github.com/keycloak/keycloak-private/issues/427"
-}, {
-  "number" : 453,
-  "repository" : "keycloak-private",
-  "title" : "[CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account",
-  "kind" : "cve",
-  "area" : "authentication/webauthn",
-  "url" : "https://github.com/keycloak/keycloak-private/issues/453"
-}, {
-  "number" : 531,
-  "repository" : "keycloak-private",
-  "title" : "[CVE-2026-7507] [Vulnerability Report] Session fixation in OIDC login flow leading to account takeover",
-  "kind" : "cve",
-  "area" : "authentication",
-  "url" : "https://github.com/keycloak/keycloak-private/issues/531"
-}, {
-  "number" : 573,
-  "repository" : "keycloak-private",
-  "title" : "[CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data",
-  "kind" : "cve",
-  "area" : "oidc",
-  "url" : "https://github.com/keycloak/keycloak-private/issues/573"
-}, {
-  "number" : 578,
-  "repository" : "keycloak-private",
-  "title" : "[CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak",
-  "kind" : "cve",
-  "area" : "oidc",
-  "url" : "https://github.com/keycloak/keycloak-private/issues/578"
-}, {
-  "number" : 594,
-  "repository" : "keycloak-private",
-  "title" : "[CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint",
-  "kind" : "cve",
-  "area" : "saml",
-  "url" : "https://github.com/keycloak/keycloak-private/issues/594"
-}, {
-  "number" : 685,
-  "repository" : "keycloak-private",
-  "title" : "[CVE-2026-7307]  Denial of service when sending a crafted request to the /saml endpoint",
-  "kind" : "cve",
-  "area" : null,
-  "url" : "https://github.com/keycloak/keycloak-private/issues/685"
-}, {
   "number" : 37243,
   "repository" : "keycloak",
   "title" : "Ensure all resources in the permission is of the same type",

diff --git a/cache/releases/keycloak/26.6.2/gh-release-notes.html b/cache/releases/keycloak/26.6.2/gh-release-notes.html
@@ -7,16 +7,6 @@ <h2>All resolved issues</h2>
 
 <h3>Security fixes</h3>
 <ul>
-<li><a href="https://github.com/keycloak/keycloak-private/issues/381">#381</a> [CVE-2026-37981] Broken Access Control in Account Resources User Lookup allows PII enumeration / #YWH-PGM40475-168 <code>authorization-services</code></li>
-<li><a href="https://github.com/keycloak/keycloak-private/issues/392">#392</a> [CVE-2026-4630] Keycloak Authorization Services Protection API IDOR (Cross-Resource Server Access) / #YWH-PGM40475-113 <code>authorization-services</code></li>
-<li><a href="https://github.com/keycloak/keycloak-private/issues/407">#407</a> [CVE-2026-37978] Cross-role PII leakage via evaluate-scopes endpoints bypasses user view permission #YWH-PGM40475-171 <code>admin/rbac</code></li>
-<li><a href="https://github.com/keycloak/keycloak-private/issues/427">#427</a> [CVE-2026-37979] OIDC Introspection endpoint does not enforce audience restriction, leaking claims from lightweight access tokens / #YWH-PGM40475-220 <code>oidc</code></li>
-<li><a href="https://github.com/keycloak/keycloak-private/issues/453">#453</a> [CVE-2026-37982] Execute-actions token replay allows unauthorized WebAuthn credential enrollment on victim account <code>authentication/webauthn</code></li>
-<li><a href="https://github.com/keycloak/keycloak-private/issues/531">#531</a> [CVE-2026-7507] [Vulnerability Report] Session fixation in OIDC login flow leading to account takeover <code>authentication</code></li>
-<li><a href="https://github.com/keycloak/keycloak-private/issues/573">#573</a> [CVE-2026-7571] Access token disclosure and implicit flow bypass via forged client data <code>oidc</code></li>
-<li><a href="https://github.com/keycloak/keycloak-private/issues/578">#578</a> [CVE-2026-7504] Security Vulnerability Report: Redirect URI Validation Bypass in Keycloak <code>oidc</code></li>
-<li><a href="https://github.com/keycloak/keycloak-private/issues/594">#594</a> [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint <code>saml</code></li>
-<li><a href="https://github.com/keycloak/keycloak-private/issues/685">#685</a> [CVE-2026-7307]  Denial of service when sending a crafted request to the /saml endpoint </li>
 <li><a href="https://github.com/keycloak/keycloak/issues/47485">#47485</a> CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service </li>
 <li><a href="https://github.com/keycloak/keycloak/issues/47486">#47486</a> CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing </li>
 <li><a href="https://github.com/keycloak/keycloak/issues/47932">#47932</a> [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters <code>authorization-services</code></li>

diff --git a/src/main/java/org/keycloak/webbuilder/builders/ChangelogBuilder.java b/src/main/java/org/keycloak/webbuilder/builders/ChangelogBuilder.java
@@ -64,23 +64,8 @@ private void buildForSource(ReleasesMetadata.ReleaseSource source) throws Except
                         Map<Integer, GHIssue> ghIssues = new HashMap<>();
                         List<String> queries = new LinkedList<>();
 
-                        if (source.isMainProject()) {
-                            // Query all Keycloak projects only for the main project.
-                            queries.add("org:keycloak");
-
-                            // For the main project query all repositories except the ones explicitly listed as separately versioned.
-                            List<String> ignoredRepos = context.getReleasesMetadata().getSources()
-                                    .stream()
-                                    .filter(s -> !s.isMainProject())
-                                    .map(s -> "-repo:" + s.getRepo())
-                                    .collect(Collectors.toList());
-
-                            queries.addAll(ignoredRepos);
-                        } else {
-                            // Only query the currently active repo if we're not targeting the main project.
-                            // The main project is the only one that can pull in release notes from other repos.
-                            queries.add("repo:" + source.getRepo());
-                        }
+
+                        queries.add("repo:" + source.getRepo());
 
                         queries.add("is:issue");