Bug 2443771 (CVE-2026-3429) - CVE-2026-3429 org.keycloak.services.resources.account: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API
Summary: CVE-2026-3429 org.keycloak.services.resources.account: Improper Access Contro...
Keywords:
Status: NEW
Alias: CVE-2026-3429
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-02 10:03 UTC by OSIDB Bzimport
Modified: 2026-03-02 10:19 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-02 10:03:36 UTC 
Improper Access Control vulnerability in the Account REST API of Keycloak. The flaw is caused by insufficient validation of the authentication Level of Assurance (LoA) before allowing credential management actions. An attacker who has obtained a victim’s primary credentials (username and password) can authenticate at a lower LoA and delete the victim’s registered OTP/MFA credential without completing step-up authentication. The attacker can then register their own MFA device, effectively achieving full account takeover. Exploitation requires network access and valid credentials but no user interaction, resulting in compromise of account integrity and partial confidentiality impact.
Note You need to log in before you can comment on or make changes to this bug.