CVE-2026-3429
Privilege Escalation in Keycloak Account API Allows MFA Bypass
Publication date: 2026-03-11
Last updated on: 2026-04-02
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
| jboss | keycloak | * |
| jboss | keycloak | to 2.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability is an improper access control flaw in the Keycloak Account REST API. It allows an attacker who has obtained a victim's username and password to perform sensitive actions without completing the required higher-level authentication steps. Specifically, the attacker can delete the victim's registered multi-factor authentication (MFA) or one-time password (OTP) credentials and then register their own MFA device. This effectively lets the attacker take full control of the victim's account by bypassing the intended multi-factor authentication protections."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "The vulnerability can lead to full account takeover by an attacker who has the victim's primary credentials. By deleting the victim's MFA credentials and registering their own, the attacker bypasses multi-factor authentication protections. This compromises account integrity and results in partial loss of confidentiality. Exploitation requires network access and valid credentials but no user interaction, making it a significant security risk for affected Keycloak users."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for unauthorized deletion or registration of MFA/OTP credentials via the Keycloak Account REST API. Since exploitation requires valid credentials and network access, suspicious activity logs related to credential management actions should be reviewed.'}, {'type': 'paragraph', 'content': 'Specifically, you can audit Keycloak server logs for API calls to the account credential management endpoints, looking for deletion or registration of MFA devices without corresponding step-up authentication events.'}, {'type': 'paragraph', 'content': 'While no exact commands are provided in the resources, general commands to check Keycloak logs on a Linux system might include:'}, {'type': 'list_item', 'content': "sudo journalctl -u keycloak.service | grep 'credential'"}, {'type': 'list_item', 'content': "grep -i 'DELETE' /var/log/keycloak.log"}, {'type': 'list_item', 'content': "grep -i 'MFA' /var/log/keycloak.log"}, {'type': 'paragraph', 'content': 'Additionally, network monitoring tools can be used to detect unusual API calls to the Keycloak Account REST API endpoints.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Keycloak Account REST API to trusted networks and users, enforcing stronger authentication policies, and monitoring for suspicious credential management activities.
Since the vulnerability allows attackers with valid credentials but lower assurance levels to delete MFA credentials, it is critical to ensure that step-up authentication is properly enforced before allowing sensitive actions.
Applying any available patches or updates from Keycloak or your Linux distribution vendor that address this vulnerability is also essential.