GHSA-rhgq-f8x5-j2jcLowCVSS 3.7

Keycloak's identity-first login flow exposes user information

Published
March 23, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.

🎯 Affected products2

  • maven/org.keycloak:keycloak-services:>= 26.5.0, < 26.6.1
  • maven/org.keycloak:keycloak-services:< 26.4.12

🔗 References (8)