CVE-2026-3429

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in the Account REST API of Keycloak that allows a user authenticated with a lower security level to perform sensitive actions intended only for higher-assurance sessions. An attacker who has obtained a victim’s password can delete the victim’s registered MFA/OTP credential without proving possession of that factor. The attacker can then register their own MFA device, gaining full control of the account. This undermines the protection provided by multi-factor authentication. The API endpoint involved is the Account REST API. The vulnerable action involves deleting MFA/OTP credentials.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.