High severityNVD Advisory· Published Aug 26, 2022· Updated Aug 3, 2024

CVE-2021-3632

Description

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.keycloak:keycloak-coreMaven	< 15.1.0	15.1.0

Affected products

N/a/Keycloakv5
Range: Fixed in v15.1.0

Patches

65480cb5a116

Prevent security flaw using passwordless authentication

https://github.com/keycloak/keycloakFlorian RitterhoffJun 12, 2021via ghsa

commit

1 file changed · +6 −0

services/src/main/java/org/keycloak/authentication/authenticators/browser/WebAuthnPasswordlessAuthenticatorFactory.java+6 −0 modified

@@ -53,4 +53,10 @@ public Authenticator create(KeycloakSession session) {
     public String getId() {
         return PROVIDER_ID;
     }
+
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qpq9-jpv4-6gwrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-3632ghsaADVISORY
access.redhat.com/security/cve/CVE-2021-3632ghsax_refsource_MISCWEB
bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4ghsax_refsource_MISCWEB
github.com/keycloak/keycloak/pull/8203ghsax_refsource_MISCWEB
issues.redhat.com/browse/KEYCLOAK-18500ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000