diff --git a/charts/keycloak/Chart.yaml b/charts/keycloak/Chart.yaml
index d8faf50..8df3528 100644
--- a/charts/keycloak/Chart.yaml
+++ b/charts/keycloak/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: keycloak
 description: A Helm chart for deploying Keycloak IAM using the upstream quay.io/keycloak/keycloak image on Kubernetes
 type: application
-version: 26.6.1
+version: 26.6.3
 appVersion: "26.6.3"
 keywords:
   - keycloak
@@ -30,9 +30,7 @@ annotations:
     - name: Source
       url: https://github.com/KitStream/helms
   artifacthub.io/changes: |
-    - kind: changed
-      description: Bump Keycloak from 26.6.0 to 26.6.1 (security and bugfix release)
     - kind: security
-      description: "Upstream security fixes: CVE-2026-4366 (SSRF via HTTP redirect), CVE-2026-4633 (user enumeration via identity-first login)"
+      description: Bump Keycloak from 26.6.1 to 26.6.3 — ~32 upstream CVE fixes including session fixation, redirect-URI bypass, SSRF, and refresh-token reuse
     - kind: fixed
-      description: Fix broken chart icon URL — upstream Keycloak moved keycloak_icon_512px.svg to icon.svg (#64)
+      description: Publish not-ready addresses on the JGroups headless service so simultaneously started replicas form a single cluster instead of split-brain merging late
diff --git a/charts/keycloak/tests/serviceaccount_test.yaml b/charts/keycloak/tests/serviceaccount_test.yaml
index 1c15066..3de3429 100644
--- a/charts/keycloak/tests/serviceaccount_test.yaml
+++ b/charts/keycloak/tests/serviceaccount_test.yaml
@@ -52,6 +52,6 @@ tests:
       - isSubset:
           path: metadata.labels
           content:
-            helm.sh/chart: keycloak-26.6.1
+            helm.sh/chart: keycloak-26.6.3
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/version: "26.6.3"