## Security Flaw: Keycloak Default Configuration Leaves Wanaku Vulnerable to Brute Force Attacks
A critical security vulnerability has been identified in the default configuration of the Wanaku authentication system, leaving it exposed to credential stuffing and password brute force attacks. The core issue resides in the Keycloak realm configuration file, where brute force protection is explicitly disabled. This oversight allows attackers to make an unlimited number of failed login attempts without triggering account lockouts or throttling, significantly lowering the barrier for unauthorized access.

The vulnerability is pinpointed in the `wanaku-config.json` file. The configuration sets `"bruteForceProtected": false` and pairs it with a high `"failureFactor": 30`, a parameter that would only be relevant if protection were active. This combination creates a deceptively configured security setting that offers no real defense. The current setup permits continuous login attempts, making it trivial for automated scripts to guess or validate stolen credentials against user accounts.

This misconfiguration represents a fundamental security failure in the default deployment posture of Wanaku. For any organization or project relying on this setup, it introduces a direct and immediate risk of account compromise. The expected behavior—enabling brute force protection by default to temporarily lock accounts after a reasonable number of failures—is absent. This flaw necessitates manual intervention to correct the configuration before deployment, highlighting a gap in secure-by-default practices for the platform.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, authentication, configuration, Keycloak
- **Credibility**: unverified
- **Published**: 2026-04-06 16:27:21
- **ID**: 51706
- **URL**: https://whisperx.ai/en/intel/51706