Keycloak's improper input validation allows using email as username

Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.

Published: Jun 12, 2024
Updated: Jun 27, 2024
GHSA: GHSA-4vc8-pg5c-vg4x
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWEs:

CWE-670

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-services	-	24.0.1

https://github.com/keycloak/keycloak/commit/f9708037383aa98741e4850447de64dc4a0d4b4e
https://github.com/keycloak/keycloak/security/advisories/GHSA-4vc8-pg5c-vg4x

Vulnerability Database

289,599

Keycloak's improper input validation allows using email as username