CVE-2026-4633 LOW

CVE-2026-4633: Keycloak: keycloak: user enumeration via differential error messages

Vendor Red Hat
Product Red Hat Build of Keycloak
Weakness CWE-209 · Error message info leak
Published March 23, 2026
Last update April 1, 2026

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.

Key dates

02Disclosure timeline

March 23, 2026 CVE published
April 1, 2026 Record updated