Keycloak Account REST API Improper Access Control Vulnerability Allowing MFA Bypass and Account Takeover

Vulnerability

A vulnerability exists in the Account REST API of Keycloak, where improper access control allows users authenticated at a lower security level to perform actions reserved for higher-assurance sessions. An attacker with a victim's password can delete the victim's multi-factor authentication (MFA) credential without verifying possession of that factor. This enables the attacker to register their own MFA device, gaining full control of the account. The issue arises from insufficient validation of the authentication Level of Assurance (LoA), undermining the protection intended by MFA.

Impact

Exploitation of this vulnerability can lead to unauthorized deletion of MFA credentials, allowing attackers to take over accounts by registering their own MFA devices.

Added: Mar 11, 2026, 5:19 PM

Updated: Mar 11, 2026, 5:19 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

3.1

exploitability

6.8

remediation

0.0

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

3.1

exploitability

6.8

remediation

0.0

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak Account REST API Improper Access Control Vulnerability Allowing MFA Bypass and Account Takeover

Vulnerability

Impact

Affected Products

Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating