CVE-2026-3429 Overview
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim's password can delete the victim's registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.
Critical Impact
An attacker with knowledge of a victim's password can bypass MFA protections by deleting the victim's registered authenticator and enrolling their own, leading to complete account takeover.
Affected Products
- Keycloak (specific versions not disclosed)
- Red Hat SSO (related implementations)
- Identity providers using Keycloak Account REST API
Discovery Timeline
- 2026-03-11 - CVE-2026-3429 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-3429
Vulnerability Analysis
This vulnerability represents a Broken Access Control flaw (CWE-284) in the Keycloak Account REST API. The core issue lies in the API's failure to enforce step-up authentication requirements when performing sensitive credential management operations. In a properly secured implementation, actions that modify security credentials—particularly those related to multi-factor authentication—should require the user to re-authenticate or prove possession of the existing MFA factor before any changes are permitted.
The Keycloak Account REST API exposes endpoints that allow authenticated users to manage their credentials, including MFA/OTP devices. However, the vulnerability permits these sensitive operations to be executed with a session authenticated only at the primary factor level (username/password), without requiring proof of the second factor. This design flaw effectively reduces MFA protection to single-factor authentication for account management operations.
Root Cause
The root cause is improper access control in the Account REST API's credential management endpoints. The API fails to validate the authentication assurance level (AAL) of the current session before permitting credential deletion operations. Specifically, the endpoint responsible for removing OTP/MFA credentials does not enforce a step-up authentication challenge, allowing a session authenticated with only a password to perform operations that should require MFA verification.
This implementation oversight violates the principle that security-sensitive operations should require authentication at an appropriate assurance level. The API should enforce that any modification to MFA credentials requires the user to first prove possession of their existing second factor.
Attack Vector
The attack exploits the network-accessible Account REST API and requires an attacker to have already compromised the victim's password through phishing, credential stuffing, or other means. The attack follows this sequence:
- Initial Authentication: The attacker authenticates to Keycloak using the victim's username and stolen password
- MFA Credential Enumeration: The attacker uses the Account REST API to enumerate the victim's registered MFA devices
- MFA Credential Deletion: Without being challenged for the second factor, the attacker deletes the victim's existing OTP/MFA credential via the vulnerable API endpoint
- Malicious MFA Registration: The attacker registers their own MFA device to the victim's account
- Account Takeover: The attacker now has full control with valid credentials and their own MFA device enrolled
This attack is particularly dangerous because it defeats the purpose of MFA—even if an organization has enforced MFA for all users, an attacker who obtains a password can circumvent this protection entirely.
Detection Methods for CVE-2026-3429
Indicators of Compromise
- Unexpected deletion of MFA/OTP credentials followed by immediate registration of new MFA devices
- Account REST API calls to credential management endpoints from unusual IP addresses or geolocations
- Authentication sessions where MFA credentials were modified without a corresponding MFA challenge being satisfied
- Multiple failed login attempts followed by successful authentication and immediate credential changes
- Anomalous patterns in Keycloak audit logs showing credential lifecycle events
Detection Strategies
- Monitor Keycloak audit events for DELETE_CREDENTIAL and UPDATE_CREDENTIAL events on OTP/MFA credential types
- Implement alerting on credential management API calls that occur within a session that did not satisfy an MFA challenge
- Create correlation rules to detect password-only authentication followed by MFA credential modifications
- Review Account REST API access logs for credential management endpoint usage patterns
- Deploy behavioral analytics to identify anomalous account management activities
Monitoring Recommendations
- Enable comprehensive audit logging in Keycloak for all credential lifecycle events
- Configure SIEM rules to alert on MFA credential deletion events, especially when followed by new MFA enrollment
- Monitor for bulk or automated access patterns against the Account REST API
- Implement session tracking to correlate authentication strength with subsequent API operations
- Establish baseline patterns for legitimate MFA credential management to identify deviations
How to Mitigate CVE-2026-3429
Immediate Actions Required
- Review and audit recent MFA credential changes in your Keycloak deployment to identify potential compromise
- Implement network-level access controls to restrict Account REST API access to trusted networks where possible
- Consider temporarily disabling self-service MFA management until patches are applied
- Enable enhanced audit logging for all credential management operations
- Notify users of any suspicious MFA credential changes and require manual verification through alternative channels
Patch Information
Consult the Red Hat CVE-2026-3429 Advisory for official patch information and affected version details. The Red Hat Bug Report #2443771 contains additional technical details about the vulnerability and remediation guidance. Apply vendor-provided patches as soon as they become available for your Keycloak deployment.
Workarounds
- Implement a reverse proxy or API gateway rule to require step-up authentication for credential management endpoints
- Configure Keycloak authentication flows to require re-authentication for Account Console access
- Restrict Account REST API access through network segmentation or firewall rules
- Implement custom authentication policies that enforce MFA verification before credential changes
- Use organizational policies to require help desk verification for any MFA credential modifications
# Example: Restrict Account REST API access via reverse proxy
# Add authentication requirements for credential management endpoints
# Note: Adjust paths according to your Keycloak configuration
# Nginx example - require client certificate for sensitive endpoints
location ~ ^/realms/[^/]+/account/credentials {
# Require additional authentication layer
auth_request /auth/step-up;
proxy_pass http://keycloak-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
