Skip to main content

Red Hat Build Of Keycloak CVE-2026-4633

| EUVD-2026-14400 LOW
Error Message Information Leak (CWE-209)
2026-03-23 redhat GHSA-rhgq-f8x5-j2jc
Information Disclosure Red Hat Build Of Keycloak
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 11:00 euvd
EUVD-2026-14400
Analysis Generated
Mar 23, 2026 - 11:00 vuln.today
CVE Published
Mar 23, 2026 - 10:53 nvd
LOW 3.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.0.

DescriptionCVE.org

A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.

AnalysisAI

Keycloak contains an information disclosure vulnerability in the identity-first login flow when Organizations are enabled, where differential error messages allow remote attackers to enumerate valid user accounts without authentication. The vulnerability affects Red Hat Build of Keycloak across multiple versions, and while the CVSS score is low (3.7), the attack requires only network access with no user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS score of 3.7 reflects a low-severity vulnerability with network attack vector, high attack complexity, no privilege requirement, and low confidentiality impact with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts automated login requests against a Keycloak instance with Organizations and identity-first login enabled, submitting common username lists (e.g., firstname.lastname patterns, admin, test users). By observing differential error messages or response timing differences, the attacker systematically identifies which usernames exist in the system, building a valid target list. …
Remediation Apply the security patch released by Red Hat for Keycloak as documented in the security advisory (https://access.redhat.com/security/cve/CVE-2026-4633); specific patched versions should be obtained from Red Hat's advisory page. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

During next maintenance window: Apply vendor patches when convenient. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

Bug #1088287
keycloak
Release Status Fixed Version Urgency
open - -

Share

CVE-2026-4633 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy