If users.properties is in encrypted form, but there's an invalid entry it causes a StringIndexOutOfBoundsException instead of more clear error message.
 
Correct format (if it had a correct hash):

user=scram-sha-1\:aaaaaaaaaa;

Bad format:

user=aaaaaaaaa

The issue is in org.infinispan.server.security.realm.EncryptedPropertiesSecurityRealm#load.

    int colon = password.indexOf(':');
    PasswordFactory factory = getPasswordFactory(password.substring(0, colon));

It looks for a colon, but does not verify it actualy found one before calling substring with an invalid index.
It should check If colon == -1 and return a more descriptive error message.