CVE-2026-4633 — Vulnetix

CVE-2026-4633 PUBLISHED CVSS 3.700000047683716 LOW

A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.

EPSS 0.02% · 4.7th percentile

Risk Scores

CVSS v3.1

3.700000047683716

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score

0.02%

4.7th percentile

Affected Products

Vendor	Product	Versions
Maven	org.keycloak:keycloak-services	0, 0, 0
Red Hat	Red Hat Build of Keycloak

Timeline

Mar 23, 2026 CVE Published
Mar 23, 2026 EPSS Score
Mar 23, 2026 PoC Published
Mar 24, 2026 EPSS Score
Mar 24, 2026 PoC Published
Mar 25, 2026 EPSS Score
Mar 25, 2026 Coalition ESS Score
Mar 26, 2026 EPSS Score
Mar 27, 2026 Coalition ESS Score
Mar 27, 2026 Security Advisory
Apr 13, 2026 CVE Updated
May 18, 2026 EPSS Score

References

https://access.redhat.com/security/cve/CVE-2026-4633 vdb
RHBZ#2450247 issue
https://nvd.nist.gov/vuln/detail/CVE-2026-4633 advisory
https://github.com/keycloak/keycloak package

Open in Interactive Console →