keycloak vulnerable to unauthorized login via mail server setup

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be '[email protected]'...

keycloak: keycloak uses hardcoded open dummy domain for new accounts enabling information disclosure

A flaw was found in Keycloak. The use of an open hard-coded domain can allow an unauthorized login by setting up a mail server and resetting the user credentials, enabling information disclosure...