Bug 1999196 (CVE-2021-3754) - CVE-2021-3754 keycloak: allows using email as username
Summary: CVE-2021-3754 keycloak: allows using email as username
Status: NEW
Alias: CVE-2021-3754
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On:
Blocks: 1998585 1999637
TreeView+ depends on / blocked
Reported: 2021-08-30 17:08 UTC by Michael Kaplan
Modified: 2023-07-07 08:29 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-08-30 17:08:03 UTC
keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.

Note You need to log in before you can comment on or make changes to this bug.