Description
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.
Published: 2026-03-23
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure – User Enumeration
Action: Assess Impact
AI Analysis

Impact

A flaw in Keycloak’s identity‑first login flow allows remote actors to send crafted authentication requests. When the Organizations feature is enabled, the server returns different error messages depending on whether the supplied username exists. This differential information release, classified under CWE-209, gives an attacker the ability to enumerate valid user accounts and extract sensitive system information.

Affected Systems

The vulnerability impacts the Red Hat Build of Keycloak. No version‑specific details are provided, so any deployment of this product that has Organizations enabled is potentially affected.

Risk and Exploitability

The CVSS score of 3.7 indicates low‑moderate severity, while an EPSS of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attacks would require only remote access to the login endpoint and do not need privileged credentials, enabling enumeration of users through special authentication requests.

Generated by OpenCVE AI on April 2, 2026 at 05:52 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat security update when it becomes available.
  • No approved workaround exists that meets Red Hat Product Security criteria; follow vendor guidance and monitor for an official fix.

Generated by OpenCVE AI on April 2, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rhgq-f8x5-j2jc Keycloak's identity-first login flow exposes user information
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
Vendors & Products Redhat build Of Keycloak

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.
Title Keycloak: keycloak: user enumeration via differential error messages
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-209
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-01T14:38:10.321Z

Reserved: 2026-03-23T08:36:31.514Z

Link: CVE-2026-4633

cve-icon Vulnrichment

Updated: 2026-03-23T15:07:16.456Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T11:16:25.053

Modified: 2026-04-01T14:26:47.490

Link: CVE-2026-4633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:29Z

Weaknesses