Keycloak ID First Login Error Message CVE-2026-4633: User Enumeration
CVE-2026-4633 Published on March 23, 2026

Keycloak: keycloak: user enumeration via differential error messages
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.

NVD

Vulnerability Analysis

CVE-2026-4633 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public.

Weakness Type

Generation of Error Message Containing Sensitive Information

The software generates an error message that includes sensitive information about its environment, users, or associated data.


Products Associated with CVE-2026-4633

Want to know whenever a new CVE is published for Red Hat Build Keycloak? stack.watch will email you.

Red Hat Build Keycloak
 

Affected Versions

Red Hat Build of Keycloak: