CVE-2026-3429 is an improper access control vulnerability found in the Account REST API of the Red Hat Build of Keycloak, an open-source identity and access management solution widely used for single sign-on and authentication services. The vulnerability allows an attacker who has already obtained a victim’s password to bypass multi-factor authentication (MFA) protections by deleting the victim’s registered MFA/OTP credentials without needing to prove possession of the second factor. Normally, sensitive actions such as removing MFA devices require a higher-assurance session or additional verification to prevent unauthorized changes. However, due to insufficient enforcement of these controls, an attacker can remove the victim’s MFA device and then register their own, effectively taking full control of the account. This undermines the security benefits of MFA, which is designed to prevent account compromise even if passwords are leaked. The vulnerability has a CVSS 3.1 base score of 4.2, reflecting a medium severity level, primarily because exploitation requires prior knowledge of the victim’s password and the attack surface is limited to the Red Hat Build of Keycloak product. No public exploits or active exploitation have been reported as of the publication date. The flaw highlights the importance of enforcing strict access control and session assurance levels for sensitive API endpoints managing authentication factors.

The primary impact of CVE-2026-3429 is the potential for account takeover despite the presence of multi-factor authentication, which is a critical security control for protecting user accounts. Attackers who have obtained or guessed a victim’s password can bypass MFA protections by deleting and re-registering MFA devices, leading to unauthorized access. This can result in unauthorized access to sensitive applications and data protected by Keycloak, potentially leading to data breaches, privilege escalation, and lateral movement within an organization’s network. Organizations relying on Red Hat Build of Keycloak for identity management, especially those in regulated industries or handling sensitive data, face increased risk of compromise. The vulnerability undermines user trust in MFA and may lead to increased operational costs due to incident response and remediation efforts. While the vulnerability does not directly impact system availability, the confidentiality and integrity of user accounts and associated resources are at risk.

To mitigate CVE-2026-3429, organizations should apply any available patches or updates from Red Hat as soon as they are released. In the absence of an immediate patch, administrators should consider the following specific measures: 1) Restrict access to the Account REST API endpoints to trusted networks or IP ranges to reduce exposure. 2) Implement additional monitoring and alerting for suspicious activities related to MFA device management, such as unexpected deletions or registrations of MFA credentials. 3) Enforce stronger password policies and encourage users to use unique, complex passwords to reduce the likelihood of password compromise. 4) Consider deploying additional layers of authentication or anomaly detection on sensitive account management operations. 5) Review and tighten session management policies to ensure that sensitive actions require higher-assurance sessions or re-authentication. 6) Educate users about the risks of password reuse and phishing attacks that could lead to credential compromise. These measures help reduce the risk of exploitation until a vendor patch is applied.