A flaw was found in Keycloak, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.
Turn off all kinds of email notifications including password reset mails.