Description
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.
Published: 2026-03-11
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via MFA Deletion
Action: Patch Immediately
AI Analysis

Impact

The vulnerability in Keycloak’s Account REST API allows an authenticated user with a lower security level to delete a victim’s registered multi‑factor authentication (MFA) or one‑time‑password (OTP) credentials without proving possession of that factor. After the deletion the attacker can register their own MFA device and take full control of the account, effectively bypassing the intended MFA protection. This flaw represents an improper access control weakness (CWE‑284).

Affected Systems

The affected products are Red Hat Build of Keycloak (including builds 26.4 and 26.4.11), Red Hat JBoss Enterprise Application Platform 8 and the Red Hat Single Sign‑On 7 stack. These environments use the Keycloak account REST API and are vulnerable to the described deletion and takeover scenario.

Risk and Exploitability

The CVSS score is 4.2, indicating a moderate severity. The EPSS score of less than 1 % suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to already have valid credentials for the victim at a lower security level; once this is achieved, the attacker can delete MFA credentials and register a new device. The attack vector is mediated through the REST API and relies on the existing authenticated session, so widespread exploitation would be limited to environments where these API endpoints are exposed and the attacker has compromised credentials.

Generated by OpenCVE AI on April 15, 2026 at 22:39 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply Red Hat security updates RHSA-2026:6477 and RHSA-2026:6478 to update Keycloak to the patched version.
  • Confirm that all Keycloak deployments are running version 26.4.11 or later, which contains the access‑control fix.
  • If a patch cannot be applied immediately, reconfigure the Account REST API to require multi‑factor authentication for credential deletion or restrict the API to high‑assurance sessions only.
  • No workable workaround is provided; patch remains the only viable mitigation.

Generated by OpenCVE AI on April 15, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8g9r-9wjw-37j4 Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API
History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
References

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Title org.keycloak.services.resources.account: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API Org.keycloak.services.resources.account: improper access control leading to mfa deletion and account takeover in keycloak account rest api
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Keycloak
Keycloak keycloak
Vendors & Products Keycloak
Keycloak keycloak

Tue, 03 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.
Title org.keycloak.services.resources.account: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API
Weaknesses CWE-284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Subscriptions

Keycloak Keycloak
Redhat Build Keycloak Jboss Enterprise Application Platform Jbosseapxp Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:39:41.284Z

Reserved: 2026-03-02T09:54:23.687Z

Link: CVE-2026-3429

cve-icon Vulnrichment

Updated: 2026-03-12T15:43:40.897Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T17:16:59.270

Modified: 2026-04-02T14:16:32.097

Link: CVE-2026-3429

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-02T00:00:00Z

Links: CVE-2026-3429 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses