CVE-2026-4633
Received Received - Intake
User Enumeration Vulnerability in Keycloak Identity-First Login

Publication date: 2026-03-23

Last updated on: 2026-04-01

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4633
EUVD
EUVD-2026-14400
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-4633 is a vulnerability in Keycloak that allows an attacker to determine whether a username exists in the system by exploiting differences in error messages during the identity-first login flow when Organizations are enabled.'}, {'type': 'paragraph', 'content': 'Specifically, when logging in via the endpoint `/realms/[realm]/account/`, the system returns different error messages: "Invalid username or password" if the username does not exist, and "Invalid Password" if the username exists but the password is incorrect. This difference enables user enumeration.'}, {'type': 'paragraph', 'content': 'To exploit this vulnerability, Organizations must be enabled on the realm, the identity-first login flow must be active, and the attacker must have network access to the login endpoint.'}] [1]

Impact Analysis

This vulnerability allows an attacker to confirm the existence of user accounts in the Keycloak system by observing different error messages during login attempts.

Such user enumeration can lead to information disclosure, which may be leveraged in further attacks such as targeted phishing, brute force attacks, or social engineering.

However, the vulnerability is classified as low severity with a CVSS base score of 3.7, indicating limited impact on confidentiality and no impact on integrity or availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing the error messages returned during login attempts to the Keycloak endpoint `/realms/[realm]/account/` when Organizations are enabled and the identity-first login flow is active.'}, {'type': 'paragraph', 'content': 'Specifically, you can test by submitting login requests with both existing and non-existent usernames and comparing the error messages.'}, {'type': 'list_item', 'content': 'Send a login request with a non-existent username and note the error message "Invalid username or password".'}, {'type': 'list_item', 'content': 'Send a login request with an existing username but incorrect password and note the error message "Invalid Password".'}, {'type': 'paragraph', 'content': 'The difference in these error messages indicates the presence of the vulnerability and allows user enumeration.'}, {'type': 'paragraph', 'content': 'Example command using curl to test an existing username (replace [realm], [username], and [password]):'}, {'type': 'list_item', 'content': "curl -X POST https://[keycloak-server]/realms/[realm]/account/ -d 'username=[username]&password=[password]'"}, {'type': 'paragraph', 'content': 'Repeat the command with a non-existent username and compare the error messages in the response.'}] [1]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4633. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart