FKIE_CVE-2026-3429

Vulnerability from fkie_nvd - Published: 2026-03-11 17:16 - Updated: 2026-03-12 21:08
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2026-3429
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2443771
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim\u2019s password can delete the victim\u2019s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication."
    },
    {
      "lang": "es",
      "value": "Se identific\u00f3 una vulnerabilidad en la API REST de Cuentas de Keycloak que permite a un usuario autenticado con un nivel de seguridad inferior realizar acciones sensibles destinadas \u00fanicamente a sesiones de mayor garant\u00eda. Espec\u00edficamente, un atacante que ya ha obtenido la contrase\u00f1a de una v\u00edctima puede eliminar la credencial MFA/OTP registrada de la v\u00edctima sin probar primero la posesi\u00f3n de ese factor. El atacante puede entonces registrar su propio dispositivo MFA, tomando efectivamente el control total de la cuenta. Esta debilidad socava la protecci\u00f3n prevista proporcionada por la autenticaci\u00f3n multifactor."
    }
  ],
  "id": "CVE-2026-3429",
  "lastModified": "2026-03-12T21:08:22.643",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-11T17:16:59.270",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2026-3429"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443771"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.