Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API

GHSA-8g9r-9wjw-37j4 · CVE-2026-3429

Published Mar 11, 2026 · Modified Apr 2, 2026

Description

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-3429
WEB https://github.com/keycloak/keycloak/issues/47069
WEB https://github.com/keycloak/keycloak/commit/68f5779230d08825e6a4b4e23471fade16434178
WEB https://access.redhat.com/errata/RHSA-2026:6477
WEB https://access.redhat.com/errata/RHSA-2026:6478
WEB https://access.redhat.com/security/cve/CVE-2026-3429
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2443771
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes