Bug 2450247 (CVE-2026-4633)

Summary:	CVE-2026-4633 keycloak: Keycloak: User enumeration via differential error messages
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	aschwart, boliveir, mposolda, pjindal, rmartinc, ssilvert, sthorger, vmuzikar
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-23 08:36:22 UTC

User enumeration via differential error messages in Organizations +
identity-first login flow. Existing users receive "Invalid Password"
while non-existent users receive "Invalid username or password."
Requirements to exploit: Organizations enabled on realm,
identity-first login flow active, network access to login endpoint.

Steps to reproduce:

1. Create a realm and enable Organizations.
2. Create an organization and add a user with a known password.
3. Navigate to /realms/[realm]/account/.
4. Enter a non-existent username, click "Sign in," enter any password,
and submit.
5. Observe error: "Invalid username or password."
6. Repeat with an existing username.
7. Observe error: "Invalid Password."
8. The differential response confirms user existence.