VYPR
Medium severity4.2NVD Advisory· Published Mar 11, 2026· Updated Apr 2, 2026

CVE-2026-3429

CVE-2026-3429

Description

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-servicesMaven
<= 26.5.6

Affected products

7

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.