diff --git a/src/keycloak/chart/Chart.yaml b/src/keycloak/chart/Chart.yaml
index e114d17499..70a9ff2ff9 100644
--- a/src/keycloak/chart/Chart.yaml
+++ b/src/keycloak/chart/Chart.yaml
@@ -4,7 +4,7 @@
 apiVersion: v2
 name: keycloak
 # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver
-version: 26.1.4
+version: 26.2.0
 description: Open Source Identity and Access Management For Modern Applications and Services
 keywords:
   - sso
diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml
index fbd6aee13a..c00417888b 100644
--- a/src/keycloak/chart/templates/statefulset.yaml
+++ b/src/keycloak/chart/templates/statefulset.yaml
@@ -137,6 +137,13 @@ spec:
               value: DEBUG
             - name: QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL
               value: TRACE
+            # https://github.com/keycloak/keycloak/issues/39046
+            # Starting from 26.2.0, Keycloak doesn't use password for the internal H2 database.
+            # This breaks upgrade scenarios, so we need to use the same password as in 26.1.x
+            - name: KC_DB_USERNAME
+              value: sa
+            - name: KC_DB_PASSWORD
+              value: password
           {{- end }}
           {{- if eq (include "keycloak.postgresql.config" .) "true" }}
             # Infinispan cache configuration
diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
index 13f2b05bd6..44db84f099 100644
--- a/src/keycloak/chart/values.yaml
+++ b/src/keycloak/chart/values.yaml
@@ -5,7 +5,7 @@ image:
   # The Keycloak image repository
   repository: quay.io/keycloak/keycloak
   # Overrides the Keycloak image tag whose default is the chart appVersion
-  tag: "26.1.4"
+  tag: "26.2.0"
   # The Keycloak image pull policy
   pullPolicy: IfNotPresent
 
diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml
index 7b4d2ba7d0..5ec26bf815 100644
--- a/src/keycloak/common/zarf.yaml
+++ b/src/keycloak/common/zarf.yaml
@@ -13,7 +13,7 @@ components:
       - name: keycloak
         namespace: keycloak
         # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver
-        version: 26.1.4
+        version: 26.2.0
         localPath: ../chart
         valuesFiles:
           - ../chart/values.yaml
diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml
index 7cfa3d6945..8ccaf7c2b8 100644
--- a/src/keycloak/values/registry1-values.yaml
+++ b/src/keycloak/values/registry1-values.yaml
@@ -3,7 +3,7 @@
 
 image:
   repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak
-  tag: "26.1.4"
+  tag: "26.2.0"
 podSecurityContext:
   fsGroup: 2000
 securityContext:
diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml
index cd09290667..ba9fe26a12 100644
--- a/src/keycloak/values/unicorn-values.yaml
+++ b/src/keycloak/values/unicorn-values.yaml
@@ -5,4 +5,4 @@ podSecurityContext:
   fsGroup: 65532
 image:
   repository: cgr.dev/du-uds-defenseunicorns/keycloak
-  tag: "26.1.4"
+  tag: "26.2.0"
diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml
index eaaff7c235..57c1f36abd 100644
--- a/src/keycloak/values/upstream-values.yaml
+++ b/src/keycloak/values/upstream-values.yaml
@@ -5,4 +5,4 @@ podSecurityContext:
   fsGroup: 1000
 image:
   repository: quay.io/keycloak/keycloak
-  tag: "26.1.4"
+  tag: "26.2.0"
diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml
index 163097cdd4..b68cc86031 100644
--- a/src/keycloak/zarf.yaml
+++ b/src/keycloak/zarf.yaml
@@ -26,7 +26,7 @@ components:
         valuesFiles:
           - "values/upstream-values.yaml"
     images:
-      - quay.io/keycloak/keycloak:26.1.4
+      - quay.io/keycloak/keycloak:26.2.0
       - ghcr.io/defenseunicorns/uds/identity-config:0.12.1
 
   - name: keycloak
@@ -40,7 +40,7 @@ components:
         valuesFiles:
           - "values/registry1-values.yaml"
     images:
-      - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:26.1.4
+      - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:26.2.0
       - ghcr.io/defenseunicorns/uds/identity-config:0.12.1
 
   - name: keycloak
@@ -54,5 +54,5 @@ components:
         valuesFiles:
           - "values/unicorn-values.yaml"
     images:
-      - cgr.dev/du-uds-defenseunicorns/keycloak:26.1.4 # todo: switch to FIPS image
+      - cgr.dev/du-uds-defenseunicorns/keycloak:26.2.0 # todo: switch to FIPS image
       - ghcr.io/defenseunicorns/uds/identity-config:0.12.1