Keycloak User Enumeration Vulnerability via Differential Error Messages

Vulnerability

A user enumeration vulnerability has been identified in Keycloak. This issue arises when Organizations are enabled and the identity-first login flow is active. A remote attacker can exploit this vulnerability by sending login requests and observing the different error messages returned. Existing users trigger an 'Invalid Password' response, while non-existent users receive an 'Invalid username or password' error. This discrepancy allows attackers to determine the existence of users, leading to unauthorized information disclosure.

Impact

Exploitation of this vulnerability allows for user enumeration, where an attacker can determine the existence of users based on the differential error messages received during the login process.

Reproduction

To reproduce this vulnerability, create a realm in Keycloak and enable Organizations. Add a user with a known password to an organization. Then, navigate to the account login endpoint and enter a non-existent username followed by any password. The response will indicate that the username does not exist. Repeat the process with an existing username to receive a response indicating an invalid password, thereby confirming the user's existence.

Added: Mar 23, 2026, 11:18 AM
Updated: Mar 23, 2026, 11:18 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
0.6
exploitability
9.7
remediation
8.3
relevance
2.8
threat
6.4
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.