CVE-2026-3429 is an improper access control vulnerability found in the Account REST API of Red Hat's build of Keycloak version 26.4. Keycloak is an open-source identity and access management solution widely used for single sign-on and authentication services. The flaw allows an attacker who has already obtained a victim’s password to perform sensitive account management actions that should be restricted to higher-assurance sessions. Specifically, the attacker can delete the victim’s registered multi-factor authentication (MFA) or one-time password (OTP) credentials without needing to prove possession of the second factor. After removing the victim’s MFA credentials, the attacker can register their own MFA device, effectively bypassing the MFA protection and gaining full control over the victim’s account. This vulnerability arises due to insufficient access control checks in the Account REST API endpoints, which fail to enforce the requirement for a higher-assurance session or possession of the second factor before allowing MFA credential deletion. The vulnerability does not require user interaction beyond the attacker having the victim’s password, and no privilege escalation beyond a low-privileged authenticated user is needed. The CVSS v3.1 base score is 4.2 (medium severity), reflecting network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and limited confidentiality and integrity impact. No known exploits have been reported in the wild as of the published date. The vulnerability undermines the security benefits of MFA, a critical defense against account compromise, by allowing attackers to remove and replace MFA credentials without proper authorization.

The primary impact of CVE-2026-3429 is the potential for account takeover despite the presence of multi-factor authentication, which is intended to provide strong protection against unauthorized access. Attackers who have obtained user passwords through phishing, credential stuffing, or other means can exploit this vulnerability to remove the victim’s MFA credentials and register their own, effectively bypassing MFA protections. This can lead to unauthorized access to sensitive systems, data breaches, and lateral movement within organizations. The vulnerability compromises the integrity and confidentiality of user accounts but does not affect system availability. Organizations relying on Red Hat Keycloak 26.4 for identity management and authentication services are at risk, especially those with high-value targets or sensitive data protected by MFA. The flaw increases the risk of insider threats and external attackers escalating access, potentially impacting regulatory compliance and trust. Although no exploits are currently known in the wild, the vulnerability’s existence may encourage attackers to develop exploits, increasing future risk.

To mitigate CVE-2026-3429, organizations should promptly update to a patched version of Red Hat Keycloak once available, as this is the most effective remediation. In the absence of an immediate patch, administrators should implement strict monitoring and alerting on account management API usage, focusing on MFA credential deletion and registration events. Restrict access to the Account REST API to trusted networks or users and enforce strong password policies to reduce the risk of password compromise. Consider implementing additional verification steps or manual approval workflows for MFA credential changes. Employ anomaly detection to identify unusual account management activities. Educate users on phishing risks and encourage the use of hardware-based MFA tokens, which may be less susceptible to remote credential manipulation. Review and tighten session management policies to ensure higher-assurance sessions are required for sensitive operations. Finally, conduct regular security assessments and penetration tests focusing on identity and access management components.