Vulnerability in Keycloak Account REST API Allows Account Takeover via MFA Manipulation
CVE-2026-3429

4.2MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak 26.4; Red Hat Build Of Keycloak 26.4.11; Red Hat Build Of Keycloak; Red Hat Jboss Enterprise Application Platform 8
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-3429?

CVE-2026-3429 is a vulnerability found in the Account REST API of Keycloak, an open-source identity and access management tool developed by Red Hat. This vulnerability permits attackers with lower-level authenticated access to perform sensitive operations that should only be available to users authenticated at a higher security level. Specifically, it allows a malicious actor who has compromised a user's password to delete the victim's multi-factor authentication (MFA) credentials without verifying possession of the MFA factor. By doing so, the attacker can register their own MFA device, thereby gaining full control over the victim's account. This flaw fundamentally weakens the security model of multi-factor authentication, which is critical in protecting sensitive user accounts from unauthorized access and exploitation.

Potential Impact of CVE-2026-3429

Account Takeover: The vulnerability allows attackers to fully compromise user accounts, leading to potential unauthorized access to sensitive information or systems, which can result in significant data breaches.
Undermined MFA Security: By circumventing the protections of multi-factor authentication, organizations relying on Keycloak for secure user access may find their security measures are ineffective, potentially leading to a broader systemic security risk.
Increased Attack Surface: As the vulnerability could be exploited by anyone who has already gained access to a valid user password, this increases the risk of both targeted and opportunistic attacks, necessitating enhanced monitoring and incident response efforts.