The "forgot password" process does not currently restrict an attacker from automating what should only be a manual process. An attacker could automate sending thousands of password reset emails or user invitations. As a result, legitimate users might assume that the customer (owner of the Keycloak instance) is spamming them.

Attackers could also exploit this to defame or annoy users, ultimately harming the customer’s brand.

Is there an existing mechanism to prevent this?

As far as I understand, brute-force protection can only be enabled on the login page, correct?

(ext. ref: epic#1248)