{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4633", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-23T08:36:31.514Z", "datePublished": "2026-03-23T10:53:35.655Z", "dateUpdated": "2026-04-01T14:38:10.321Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: user enumeration via differential error messages", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4633", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450247", "name": "RHBZ#2450247", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-03-23T05:05:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-209: Generation of Error Message Containing Sensitive Information", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2026-03-23T08:34:37.879Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-03-23T05:05:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-01T14:38:10.321Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:07:15.419255Z", "id": "CVE-2026-4633", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:52:36.681Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4633", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-23T08:36:31.514Z", "datePublished": "2026-03-23T10:53:35.655Z", "dateUpdated": "2026-03-23T15:52:36.681Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: user enumeration via differential error messages", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4633", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450247", "name": "RHBZ#2450247", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-03-23T05:05:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-209: Generation of Error Message Containing Sensitive Information", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2026-03-23T08:34:37.879Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-03-23T05:05:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-03-23T10:53:35.655Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4633", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:07:15.419255Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:07:16.456Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*", "matchCriteriaId": "E5C930CB-4EAD-497B-A44B-D880F2A1F85B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Keycloak. Un atacante remoto puede explotar mensajes de error diferenciales durante el flujo de inicio de sesi\u00f3n 'identity-first' cuando las Organizaciones est\u00e1n habilitadas. Esta vulnerabilidad permite a un atacante determinar la existencia de usuarios, lo que lleva a la revelaci\u00f3n de informaci\u00f3n a trav\u00e9s de la enumeraci\u00f3n de usuarios."}], "id": "CVE-2026-4633", "lastModified": "2026-04-01T14:26:47.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-23T11:16:25.053", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-4633"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450247"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Red Hat Build of Keycloak", "source": "cna", "vendor": "Red Hat"}, "product": "build_keycloak", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-03-23T12:21:27.784766+00:00", "value": {"mitigation_remediation": ["Monitor Red\u202fHat security advisories for a patch or update for Red\u202fHat Build of Keycloak.", "Once a patch is released, apply it immediately.", "Until a patch is available, evaluate disabling the Organizations feature in Keycloak to limit the risk; if that is not possible, continue to monitor authentication logs for suspicious activity."], "summary": {"action": "Assess Impact", "impact": "User Enumeration \u2013 Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Red\u202fHat Build of Keycloak. The advisory does not list specific release versions, so any deployment of this build without an update that addresses the flaw is potentially vulnerable. Administrators of Keycloak instances that enable the Organizations feature should be aware that user enumeration is possible until a fix is applied.", "description_and_impact": "The vulnerability in Keycloak arises from differential error messages returned during the identity\u2011first login flow when Organizations are enabled. By sending crafted login attempts and observing subtle differences in the error responses, a remote attacker can determine whether specific usernames exist within the system. This leads to user enumeration and the disclosure of information that could be used for further reconnaissance. The weakness is categorized as CWE\u2011209, reflecting improper error handling that unintentionally provides attackers with sensitive data.", "risk_and_exploitability": "The CVSS score of 3.7 indicates moderate severity, and the vulnerability is not currently listed in the CISA KEV catalog. EPSS data is unavailable, so the likelihood of exploitation cannot be quantified, but the attack vector is remote and requires only access to Keycloak\u2019s authentication API. Since no official workaround exists and the Red\u202fHat product security criteria deem the available options unsuitable, the risk relies primarily on the availability of a future vendor patch."}}}}, "created": "2026-03-24T10:34:47.123051+00:00", "updated": "2026-03-25T14:49:23.087087+00:00", "vendors": ["redhat", "redhat$PRODUCT$build_keycloak"]}