A flaw was found in keycloack before version 8.0.0. The owner of βplaceholder.orgβ domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name βtestβ the email address will be β[emailΒ protected]β.