CVE-2026-3429 in Keycloak
Summary
by MITRE • 03/11/2026
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability described in CVE-2026-3429 represents a critical authorization flaw within Keycloak's Account REST API that directly compromises the security of multi-factor authentication implementations. This issue manifests as a privilege escalation vulnerability where users authenticated with low-security credentials can perform actions that should require higher assurance authentication levels. The flaw specifically affects the authentication flow when users attempt to manage their multi-factor authentication credentials, creating a dangerous gap in the security model that allows attackers to bypass the intended protection mechanisms.
The technical implementation of this vulnerability stems from improper validation of authentication context within the Account REST API endpoints. When a user attempts to delete MFA/OTP credentials, the system fails to verify that the current authentication session meets the required assurance level for such sensitive operations. This design flaw enables attackers who have already compromised a victim's password to execute account takeover operations without first demonstrating possession of the victim's second authentication factor. The vulnerability operates at the application layer and specifically targets the session management and authentication context validation mechanisms within Keycloak's API framework.
From an operational impact perspective, this vulnerability creates a severe risk for organizations relying on Keycloak for identity management and authentication services. The ability to delete MFA credentials and register new devices without proper factor verification effectively nullifies the security benefits of multi-factor authentication for affected users. Attackers can leverage this vulnerability to completely compromise user accounts, potentially leading to data breaches, unauthorized access to sensitive systems, and cascading security incidents throughout affected organizations. The attack vector is particularly concerning as it requires only basic credential compromise, making it accessible to threat actors with minimal technical expertise.
The vulnerability aligns with CWE-285, which addresses improper authorization issues in authentication systems, and represents a clear violation of the principle of least privilege in security design. From an attack framework perspective, this weakness maps to several ATT&CK techniques including T1566 for credential access and T1078 for valid accounts. Organizations utilizing Keycloak should implement immediate mitigations including strengthening authentication session validation, implementing proper assurance level checks for sensitive operations, and ensuring that MFA credential management requires explicit verification of the second factor before any changes can be made to the authentication configuration.
Recommended mitigations for this vulnerability include implementing robust session context validation that enforces minimum authentication assurance requirements for sensitive operations, deploying additional authentication checks for MFA credential management, and establishing proper audit logging for all authentication and authorization events. Security teams should also consider implementing rate limiting and anomaly detection mechanisms to identify potential exploitation attempts. Organizations should also review their Keycloak configurations to ensure that sensitive operations require explicit verification of all authentication factors, not just the initial authentication credentials. The vulnerability demonstrates the critical importance of proper authentication context validation in identity management systems and highlights the need for comprehensive security testing of API endpoints that handle sensitive user operations.