CVE-2026-37982
Authentication Bypass in Keycloak WebAuthn Flow
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-294 | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in Keycloak's authentication system involving the WebAuthn (Web Authentication) flow. It allows a remote attacker to replay ExecuteActionsActionToken tokens by intercepting an execute-actions email link. Through this, the attacker can register their own hardware-backed authenticator to a victim's account without authorization.
As a result, the attacker can persistently take over the victim's account by enrolling their own credential.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized account takeover. An attacker who exploits this flaw can gain persistent access to a victim's account by registering their own hardware-backed authenticator.
Such unauthorized access compromises the confidentiality and integrity of the victim's account and any sensitive information or services accessible through it.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized enrollment of a hardware-backed credential to a victim's account, enabling persistent account takeover. This unauthorized access can lead to compromise of sensitive personal data, which may impact compliance with data protection regulations such as GDPR and HIPAA that require strict controls on access to personal and health information.
By enabling persistent account takeover, the flaw undermines authentication integrity and could result in unauthorized data access or disclosure, potentially violating confidentiality and security requirements mandated by these standards.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-37982 in Keycloak, it is recommended to update your Keycloak installation to the latest patched version that addresses this issue.
Although Resource 1 refers to a different CVE (CVE-2026-7507), it highlights the importance of applying updates to Red Hat builds of Keycloak to fix security issues.
Therefore, the immediate step is to check for and apply any available security patches or updates from your Keycloak vendor or distribution to prevent exploitation of the WebAuthn token replay vulnerability.