CVE-2026-37982

Analyzed Analyzed - Analysis Complete

Authentication Bypass in Keycloak WebAuthn Flow

Publication date: 2026-05-19

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-19

Last Modified

2026-06-03

Generated

2026-06-30

AI Q&A

2026-05-20

EPSS Evaluated

2026-06-28

NVD

CVE-2026-37982

EUVD

EUVD-2026-30886

Affected Vendors & Products

Vendor	Product	Version / Range
redhat	build_of_keycloak	From 26.4 (inc) to 26.4.12 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-294	A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Attack-Flow Graph

Mitigation Strategies

To mitigate the vulnerability CVE-2026-37982 in Keycloak, it is recommended to update your Keycloak installation to the latest patched version that addresses this issue.

Although Resource 1 refers to a different CVE (CVE-2026-7507), it highlights the importance of applying updates to Red Hat builds of Keycloak to fix security issues.

Therefore, the immediate step is to check for and apply any available security patches or updates from your Keycloak vendor or distribution to prevent exploitation of the WebAuthn token replay vulnerability.

Executive Summary

This vulnerability is a flaw in Keycloak's authentication system involving the WebAuthn (Web Authentication) flow. It allows a remote attacker to replay ExecuteActionsActionToken tokens by intercepting an execute-actions email link. Through this, the attacker can register their own hardware-backed authenticator to a victim's account without authorization.

As a result, the attacker can persistently take over the victim's account by enrolling their own credential.

Impact Analysis

This vulnerability can lead to unauthorized account takeover. An attacker who exploits this flaw can gain persistent access to a victim's account by registering their own hardware-backed authenticator.

Such unauthorized access compromises the confidentiality and integrity of the victim's account and any sensitive information or services accessible through it.

Compliance Impact

The vulnerability allows unauthorized enrollment of a hardware-backed credential to a victim's account, enabling persistent account takeover. This unauthorized access can lead to compromise of sensitive personal data, which may impact compliance with data protection regulations such as GDPR and HIPAA that require strict controls on access to personal and health information.

By enabling persistent account takeover, the flaw undermines authentication integrity and could result in unauthorized data access or disclosure, potentially violating confidentiality and security requirements mandated by these standards.

Hi! I’m here to help you understand CVE-2026-37982. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70