logo

Database

Technical information leak In org.keycloak:keycloak-services

Description

Keycloak's identity-first login flow exposes user information A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-46332. NVD-2026-46333. OSV-2026-46334. GCVE-2026-46335. ACCESS-CVE-2026-4633

References

1. https://github.com/keycloak/keycloak/issues/476192. https://github.com/keycloak/keycloak/commit/b137016cc6dcfd9f59b2aa2e6d73af8b0ebf7c6e3. https://github.com/keycloak/keycloak/commit/b4558a874fa79341404ae4d2d8f240f22bfed3404. https://bugzilla.redhat.com/show_bug.cgi?id=2450247

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.