Do Son 
The popular open-source identity and access management solution Keycloak has released a critical security update, version 26.5.7, addressing a series of vulnerabilities that could allow attackers to bypass multi-factor authentication (MFA), steal access tokens, and access sensitive user data.
The update tackles several flaws ranging from high-impact authorization bypasses to subtle logic errors in session management, affecting modern applications and services that rely on Keycloak for their security backbone.
One of the most alarming flaws disclosed is CVE-2026-3429. In a typical secure environment, deleting an MFA device should require the user to re-authenticate using that very factor. However, Keycloak’s Account REST API was found to be missing this “higher-assurance” check.
If an attacker manages to obtain a victim’s password, they can move into the account settings and delete the registered MFA/OTP credential without ever possessing the physical device or app. As the CVE record explains:
“The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.”
For organizations using User-Managed Access (UMA), CVE-2026-4636 (CVSS 8.1) presents a severe risk. An authenticated user with the uma_protection role can manipulate policy creation requests to include resource identifiers belonging to other users.
By tricking the system into validating a policy for a resource they don’t own, an attacker can obtain a Requesting Party Token (RPT). This token serves as a skeleton key, granting unauthorized permissions to view or modify a victim’s sensitive information.
Attackers who control a different path on the same web server can now exploit CVE-2026-3872. By abusing redirect URIs that use wildcards, an adversary can bypass path restrictions to intercept and steal access tokens. This “Open Redirect” style attack is a common precursor to full account impersonation and data exfiltration.
Keycloak’s underlying architecture also received a fix for CVE-2026-1002. The Vert.x Web static handler, which Keycloak uses to serve files, contained a flaw in its URI processing.
An attacker can craft a specific request—for example, using a string like bar%2F..%2F—to manipulate the component’s cache. This causes the server to return a 404 Not Found error for legitimate files, effectively denying service to users trying to access the login page or web assets.
To mitigate these risks, administrators are urged to upgrade to Keycloak 26.5.7 immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
