However, this is a community forum, so the best place to post bugs like that is the Keycloak GitHub Issues page. Once you post it, please post the link of the issue back here so people on the forum can track it.
Based on the guidance for issues in github. I should not have made this post itself and I should email the issue to keycloak-security@googlegroups.com. I will do so, and then delete this post unless admins have further guidance. Likewise I will not be able to followup with an issue number.