Vulnerability in Keycloak Account REST API Allows Account Takeover via MFA Manipulation
CVE-2026-3429

4.2MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Jboss Enterprise Application Platform 8; Red Hat Jboss Enterprise Application Platform Expansion Pack; Red Hat Single Sign-on 7
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-3429?

A vulnerability discovered in the Account REST API of Keycloak permits users authenticated at a lower security level to execute sensitive actions reserved for higher-assurance sessions. This flaw allows attackers, who have gained access to a victim's password, to remove the victim's multi-factor authentication (MFA) or one-time password (OTP) credential without verifying the necessary security factors. Consequently, the attacker can register their own MFA device, thereby assuming complete control over the affected account. This vulnerability undermines the intended security of multi-factor authentication mechanisms.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://access.redhat.com/security/cve/CVE-2026-3429

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2443771

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 2, 2026

Credit

Red Hat would like to thank hamayanhamayan for reporting this issue.

JSON

Red Hat