CVE-2026-37982 - Vulnerability Details

- Keycloak: org.keycloak.authentication: keycloak: unauthorized account takeover via webauthn token replay

Description

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.

Published: 2026-05-19

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Keycloak allows a remote attacker to replay ExecuteActionsActionToken tokens used in the WebAuthn flow. By capturing an execute‑actions email link, the attacker can register their own authenticator to the victim’s account. The successfully added hardware‑backed credential gives the attacker persistent control of the account, effectively achieving account takeover. The weakness involves improper validation preventing token reuse, which is reflected in CWE‑1025 and related authorization flaws.

Affected Systems

The vulnerability affects Red Hat Builds of Keycloak. No specific product versions are listed in the CNA data, so all releases that include the vulnerable WebAuthn component may be impacted.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring interception or receipt of an execute‑actions email link. Once the token is replayed, an attacker can add a new authenticator to the victim’s account, resulting in an effective persistent takeover without further credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Build of Keycloak	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

To mitigate this issue, consider disabling WebAuthn required actions in Keycloak if they are not essential for your deployment. This will prevent the vulnerable token replay mechanism from being exploited. Consult Keycloak documentation for specific configuration steps to disable WebAuthn required actions. Note that applying configuration changes may require a service restart and could impact functionality relying on WebAuthn registration.

OpenCVE Recommended Actions

Apply the latest vendor patch or update to the patched version of Keycloak as released by Red Hat.
Disable WebAuthn required actions in Keycloak configuration if they are not essential, following the guidance in the official workaround. This prevents the vulnerable token replay from being exploitable.
If possible, invalidate or revoke any existing ExecuteActionsActionTokens to eliminate the window for token reuse.

Generated by OpenCVE AI on May 19, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00048.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-37982
https://bugzilla.redhat.com/show_bug.cgi?id=2455329
https://nvd.nist.gov/vuln/detail/CVE-2026-37982
https://www.cve.org/CVERecord?id=CVE-2026-37982

History

Tue, 19 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1025 CWE-602

Tue, 19 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-37982 https://www.cve.org/CVERecord?id=CVE-2026-37982
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 19 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.
Title		Keycloak: org.keycloak.authentication: keycloak: unauthorized account takeover via webauthn token replay
First Time appeared		Redhat Redhat build Keycloak
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-37982 https://bugzilla.redhat.com/show_bug.cgi?id=2455329
Metrics		cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}`

Subscriptions

Redhat Build Keycloak

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-19T10:52:32.486Z

Updated: 2026-05-19T10:52:32.486Z

Reserved: 2026-04-06T07:48:39.722Z

Link: CVE-2026-37982

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-19T12:16:18.610

Modified: 2026-05-19T12:16:18.610

Link: CVE-2026-37982

Redhat

Severity : Moderate

Publid Date: 2026-05-19T00:00:00Z

Links: CVE-2026-37982 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-19T12:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object