Medium severity4.2NVD Advisory· Published Mar 11, 2026· Updated Apr 2, 2026
CVE-2026-3429
CVE-2026-3429
Description
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | <= 26.5.6 | — |
Affected products
7- osv-coords7 versionspkg:apk/chainguard/keycloak-26.5pkg:apk/chainguard/keycloak-26.5-iamguarded-compatpkg:apk/chainguard/keycloak-fips-26.5pkg:apk/chainguard/keycloak-fips-26.5-iamguarded-fipspkg:apk/wolfi/keycloak-26.5pkg:apk/wolfi/keycloak-26.5-iamguarded-compatpkg:maven/org.keycloak/keycloak-services
< 26.5.6-r0+ 6 more
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: <= 26.5.6
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-8g9r-9wjw-37j4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3429ghsaADVISORY
- access.redhat.com/errata/RHSA-2026:6477nvdWEB
- access.redhat.com/errata/RHSA-2026:6478nvdWEB
- access.redhat.com/security/cve/CVE-2026-3429nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/keycloak/keycloak/commit/68f5779230d08825e6a4b4e23471fade16434178ghsaWEB
- github.com/keycloak/keycloak/issues/47069ghsaWEB
News mentions
0No linked articles in our index yet.