diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
index 77a7723..44d4a91 100644
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -18,7 +18,7 @@
 
     - name: Download keycloak archive to controller directory
       ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
-        url: https://github.com/keycloak/keycloak/releases/download/26.0.8/keycloak-26.0.8.zip
+        url: https://github.com/keycloak/keycloak/releases/download/26.2.4/keycloak-26.2.4.zip
         dest: /tmp/keycloak
         mode: '0640'
       delegate_to: localhost
diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml
index 65da7bd..1114478 100644
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@@ -23,7 +23,7 @@
     keycloak_quarkus_systemd_wait_for_delay: 2
     keycloak_quarkus_systemd_wait_for_log: true
     keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
-    keycloak_quarkus_version: 26.2.0
+    keycloak_quarkus_version: 26.2.4
     keycloak_quarkus_additional_env_vars:
       - key: KC_FEATURES_DISABLED
         value: impersonation,kerberos
@@ -45,7 +45,7 @@
           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
           group_id: org.keycloak
           artifact_id: keycloak-kerberos-federation
-          version: 26.0.7 # optional
+          version: 26.2.4 # optional
           # username: myUser # optional
           # password: myPAT # optional
       # - id: my-static-theme
diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md
index 7aedb45..0da7272 100644
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@@ -33,7 +33,7 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_version`| keycloak.org package version | `26.0.7` |
+|`keycloak_quarkus_version`| keycloak.org package version | `26.2.4` |
 |`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
 |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
@@ -77,7 +77,7 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
-|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
+|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `JDBCPING` |
 |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
 |`keycloak_quarkus_jgroups_ip`| Host jgroups IP.  If changing this variable you must make sure it is always set for all hosts in your cluster. | `{{ ansible_default_ipv4.address }}` |
 |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml
index b4d5a37..ee12214 100644
--- a/roles/keycloak_quarkus/defaults/main.yml
+++ b/roles/keycloak_quarkus/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 26.0.8
+keycloak_quarkus_version: 26.2.4
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
@@ -70,7 +70,7 @@ keycloak_quarkus_config_key_store_password: ''
 
 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_quarkus_ha_enabled: false
-keycloak_quarkus_ha_discovery: "TCPPING"
+keycloak_quarkus_ha_discovery: "JDBCPING"
 ### Enable database configuration, must be enabled when HA is configured
 keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}"
 keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}"
@@ -125,19 +125,19 @@ keycloak_quarkus_db_user: keycloak-user
 keycloak_quarkus_db_pass: keycloak-pass
 keycloak_quarkus_db_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}"
 keycloak_quarkus_db_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}"
-# override the variables above, following defaults show minimum supported versions
+# override the variables above, following defaults show recommended version as per
+# https://access.redhat.com/articles/7033107
 keycloak_quarkus_default_jdbc:
   postgres:
     url: 'jdbc:postgresql://localhost:5432/keycloak'
-    version: 9.4.1212
+    version: 42.7.5
   mariadb:
     url: 'jdbc:mariadb://localhost:3306/keycloak'
-    version: 2.7.4
+    version: 3.5.2
   mssql:
     url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
     version: 12.8.1
     driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.8.1.jre11/mssql-jdbc-12.8.1.jre11.jar"
-    # cf. https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/server_configuration_guide/index#db-installing-the-microsoft-sql-server-driver
 ### logging configuration
 keycloak_quarkus_log: file
 keycloak_quarkus_log_level: info
diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml
index cdf280b..95d42f4 100644
--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@@ -2,7 +2,7 @@ argument_specs:
     main:
         options:
             keycloak_quarkus_version:
-                default: "26.0.8"
+                default: "26.2.4"
                 description: "keycloak.org package version"
                 type: "str"
             keycloak_quarkus_archive:
@@ -475,7 +475,7 @@ argument_specs:
     downstream:
         options:
             rhbk_version:
-                default: "26.0.11"
+                default: "26.2.4"
                 description: "Red Hat Build of Keycloak version"
                 type: "str"
             rhbk_archive:
diff --git a/roles/keycloak_quarkus/templates/cache-ispn.xml.j2 b/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
index e546ab8..2d745d5 100644
--- a/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
+++ b/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
@@ -22,7 +22,8 @@
         xmlns="urn:infinispan:config:15.0">
 
 {% set stack_expression='' %}
-{% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %}
+{% if keycloak_quarkus_ha_enabled %}
+{% if keycloak_quarkus_ha_discovery == 'TCPPING' %}
 {% set stack_expression='stack="tcpping"' %}
     <jgroups>
         <stack name="tcpping" extends="tcp">
@@ -35,6 +36,9 @@
             />
         </stack>
     </jgroups>
+{% elif keycloak_quarkus_ha_discovery == 'JDBCPING' %}
+{% set stack_expression='stack="JDBC_PING2"' %}
+{% endif %}
 {% endif %}
 
     <cache-container name="keycloak">
@@ -93,6 +97,14 @@
             <expiration max-idle="3600000"/>
             <memory max-count="1000"/>
         </local-cache>
+        <local-cache name="crl" simple-cache="true">
+            <encoding>
+                <key media-type="application/x-java-object"/>
+                <value media-type="application/x-java-object"/>
+            </encoding>
+            <expiration lifespan="-1"/>
+            <memory max-count="1000"/>
+        </local-cache>
         <distributed-cache name="actionTokens" owners="2">
             <encoding>
                 <key media-type="application/x-java-object"/>