The “vulnerability test” of this script is very basic. It simply checks if the server response with “400 Bad Request” to mark it as vulnerable. Since the exploit code doesn’t make any sense for Keycloak it correctly answers with a 400 status code. It does so also when you send some other nonsense to this endpoint. So this doesn’t proof Keycloak to be affected.