First published: Wed Jun 12 2024(Updated: )
Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.keycloak:keycloak-services | <24.0.1 | 24.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.