A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself.
The information has been provided by Oliver P
The original article can be found at:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686
The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
Keycloak version 8.0.2
Keycloak version 9.0.0
Keycloak version 9.0.1