CVE-2026-4633
User Enumeration Vulnerability in Keycloak Identity-First Login
Publication date: 2026-03-23
Last updated on: 2026-04-01
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | build_of_keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4633 is a vulnerability in Keycloak that allows an attacker to determine whether a username exists in the system by exploiting differences in error messages during the identity-first login flow when Organizations are enabled.'}, {'type': 'paragraph', 'content': 'Specifically, when logging in via the endpoint `/realms/[realm]/account/`, the system returns different error messages: "Invalid username or password" if the username does not exist, and "Invalid Password" if the username exists but the password is incorrect. This difference enables user enumeration.'}, {'type': 'paragraph', 'content': 'To exploit this vulnerability, Organizations must be enabled on the realm, the identity-first login flow must be active, and the attacker must have network access to the login endpoint.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to confirm the existence of user accounts in the Keycloak system by observing different error messages during login attempts.
Such user enumeration can lead to information disclosure, which may be leveraged in further attacks such as targeted phishing, brute force attacks, or social engineering.
However, the vulnerability is classified as low severity with a CVSS base score of 3.7, indicating limited impact on confidentiality and no impact on integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing the error messages returned during login attempts to the Keycloak endpoint `/realms/[realm]/account/` when Organizations are enabled and the identity-first login flow is active.'}, {'type': 'paragraph', 'content': 'Specifically, you can test by submitting login requests with both existing and non-existent usernames and comparing the error messages.'}, {'type': 'list_item', 'content': 'Send a login request with a non-existent username and note the error message "Invalid username or password".'}, {'type': 'list_item', 'content': 'Send a login request with an existing username but incorrect password and note the error message "Invalid Password".'}, {'type': 'paragraph', 'content': 'The difference in these error messages indicates the presence of the vulnerability and allows user enumeration.'}, {'type': 'paragraph', 'content': 'Example command using curl to test an existing username (replace [realm], [username], and [password]):'}, {'type': 'list_item', 'content': "curl -X POST https://[keycloak-server]/realms/[realm]/account/ -d 'username=[username]&password=[password]'"}, {'type': 'paragraph', 'content': 'Repeat the command with a non-existent username and compare the error messages in the response.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
I don't know