8000 Inconsistent "Forgot Password" behavior reveals user account information · Issue #39485 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Inconsistent "Forgot Password" behavior reveals user account information #39485
New issue
New issue
Closed
#39733
Closed
Inconsistent "Forgot Password" behavior reveals user account information#39485
#39733
Assignees
douglaspalmer
Labels
area/login/uikind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.0team/core-clients
@go-ma123

Description

@go-ma123
go-ma123
opened on May 6, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

login/ui

Describe the bug

The "Forgot Password" functionality reveals information about user account existence through inconsistent error handling when SMTP server connection fails. This represents a potential information disclosure vulnerability (related to CWE-204: Response Discrepancy Information Exposure).

When the SMTP server connection fails, the system responds differently based on the user account status:

  1. For existing users with email set: Shows an error message
  2. For existing users without email set: Shows "We have sent you an email"
  3. For non-existing users: Shows "We have sent you an email"

This behavior allows attackers to determine whether an account exists and has an email configured.

Version

26.1.5

Regression

  • The issue is a regression

Expected behavior

The "Forgot Password" functionality should return consistent messages regardless of whether:

  • The user exists or not
  • The user has an email address configured or not
  • The SMTP server connection fails or succeeds

This maintains account enumeration protection and follows security best practices for user enumeration prevention.

Actual behavior

When SMTP server connection fails:

  1. For existing users with email configured:
    • Shows an error message about email delivery failure
  2. For existing users without email configured:
    • Shows "We have sent you an email" message
  3. For non-existing users:
    • Shows "We have sent you an email" message

How to Reproduce?

  1. Configure an email server in Keycloak
  2. Create three test scenarios:
    • User A: Existing user with email configured
    • User B: Existing user without email configured
    • User C: Non-existing user
  3. Disable or disrupt the SMTP server connection
  4. Use "Forgot Password" functionality for each scenario
  5. Observe different responses for each case

Anything else?

  • This issue was initially reported through security channels and has been cleared for public disclosure
  • The inconsistent behavior potentially violates CWE-204 (Response Discrepancy Information Exposure)
  • This type of information disclosure could be used for user enumeration attacks
  • Issue has also been verified in version 26.2.2

Metadata

Metadata

Assignees

Labels

area/login/uikind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.0team/core-clients

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0