Description
A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.
Published: 2026-05-19
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Keycloak allows a remote attacker to replay ExecuteActionsActionToken tokens used in the WebAuthn flow. By capturing an execute‑actions email link, the attacker can register their own authenticator to the victim’s account. The successfully added hardware‑backed credential gives the attacker persistent control of the account, effectively achieving account takeover. The weakness involves improper validation preventing token reuse, which is reflected in CWE‑294.

Affected Systems

The vulnerability affects Red Hat Builds of Keycloak. No specific product versions are listed in the CNA data, so all releases that include the vulnerable WebAuthn component may be impacted.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate to high severity. The EPSS score of < 1% indicates a very low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring interception or receipt of an execute‑actions email link. Once the token is replayed, an attacker can add a new authenticator to the victim’s account, resulting in an effective persistent takeover without further credentials.

Generated by OpenCVE AI on May 19, 2026 at 17:27 UTC.

Remediation

Vendor Workaround

To mitigate this issue, consider disabling WebAuthn required actions in Keycloak if they are not essential for your deployment. This will prevent the vulnerable token replay mechanism from being exploited. Consult Keycloak documentation for specific configuration steps to disable WebAuthn required actions. Note that applying configuration changes may require a service restart and could impact functionality relying on WebAuthn registration.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or update to the patched version of Keycloak as released by Red Hat.
  • Disable WebAuthn required actions in Keycloak configuration if they are not essential, following the guidance in the official workaround. This prevents the vulnerable token replay from being exploitable.
  • If possible, invalidate or revoke any existing ExecuteActionsActionTokens to eliminate the window for token reuse.

Generated by OpenCVE AI on May 19, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w4p5-rfh6-cwrv Keycloak: Unauthorized account takeover via WebAuthn token replay
History

Wed, 03 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*

Wed, 20 May 2026 16:45:00 +0000

Type Values Removed Values Added
References

Wed, 20 May 2026 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1025
CWE-602

Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-294
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1025
CWE-602

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 19 May 2026 11:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.
Title Keycloak: org.keycloak.authentication: keycloak: unauthorized account takeover via webauthn token replay
First Time appeared Redhat
Redhat build Keycloak
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-20T16:08:55.881Z

Reserved: 2026-04-06T07:48:39.722Z

Link: CVE-2026-37982

cve-icon Vulnrichment

Updated: 2026-05-19T13:37:11.234Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T12:16:18.610

Modified: 2026-06-03T19:53:41.823

Link: CVE-2026-37982

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T00:00:00Z

Links: CVE-2026-37982 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T17:30:10Z

Weaknesses