CVE-2026-37982
Analyzed Analyzed - Analysis Complete
Authentication Bypass in Keycloak WebAuthn Flow

Publication date: 2026-05-19

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-06-03
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-37982
EUVD
EUVD-2026-30886
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak From 26.4 (inc) to 26.4.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in Keycloak's authentication system involving the WebAuthn (Web Authentication) flow. It allows a remote attacker to replay ExecuteActionsActionToken tokens by intercepting an execute-actions email link. Through this, the attacker can register their own hardware-backed authenticator to a victim's account without authorization.

As a result, the attacker can persistently take over the victim's account by enrolling their own credential.

Impact Analysis

This vulnerability can lead to unauthorized account takeover. An attacker who exploits this flaw can gain persistent access to a victim's account by registering their own hardware-backed authenticator.

Such unauthorized access compromises the confidentiality and integrity of the victim's account and any sensitive information or services accessible through it.

Compliance Impact

The vulnerability allows unauthorized enrollment of a hardware-backed credential to a victim's account, enabling persistent account takeover. This unauthorized access can lead to compromise of sensitive personal data, which may impact compliance with data protection regulations such as GDPR and HIPAA that require strict controls on access to personal and health information.

By enabling persistent account takeover, the flaw undermines authentication integrity and could result in unauthorized data access or disclosure, potentially violating confidentiality and security requirements mandated by these standards.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-37982 in Keycloak, it is recommended to update your Keycloak installation to the latest patched version that addresses this issue.

Although Resource 1 refers to a different CVE (CVE-2026-7507), it highlights the importance of applying updates to Red Hat builds of Keycloak to fix security issues.

Therefore, the immediate step is to check for and apply any available security patches or updates from your Keycloak vendor or distribution to prevent exploitation of the WebAuthn token replay vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37982. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart