7 High
AI Score
Confidence
High
Keycloak allows the use of email as a username and doesn’t check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/f9708037383aa98741e4850447de64dc4a0d4b4e
github.com/keycloak/keycloak/security/advisories/GHSA-4vc8-pg5c-vg4x