The scenario is that I created a user with a username that includes 1 uppercase letter, 1 lowercase letter, 1 special character, 1 digit and has a total length of 16 characters. When I used that same username as a password, it was accepted, which should not happen according to the policy that prohibits the use of username as a password.

See https://github.com/keycloak/keycloak/issues/37431

Also, there is already a fix after RHBK 25.0.x https://github.com/keycloak/keycloak/issues/27643