VYPR
← All advisories
Medium severity6.8NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2026-37982

CVE-2026-37982

Description

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay ExecuteActionsActionToken tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Keycloak vulnerability allows replay of WebAuthn execute-actions tokens, enabling an attacker to register their own authenticator to a victim's account, leading to persistent account takeover.

Vulnerability

A flaw exists in Keycloak's handling of ExecuteActionsActionToken within the WebAuthn flow. The canUseTokenRepeatedly() method incorrectly treats tokens as reusable when required actions do not mark themselves as one-time. Tokens containing WEBAUTHN_REGISTER or WEBAUTHN_PASSWORDLESS_REGISTER can be replayed within their validity window [4]. This affects Keycloak versions prior to 26.4.12 [2][3].

Exploitation

An attacker with access to an execute-actions email link (via email interception, log leakage, or mailbox compromise) can replay the token during its validity window. The attacker completes the WebAuthn registration with their own authenticator before the victim uses the link. This can be exploited remotely when WebAuthn required actions are enabled [4].

Impact

Successful exploitation allows the attacker to enroll a hardware-backed credential on the victim's account, leading to persistent and stealthy account takeover. The attacker can subsequently authenticate as the victim [1][4].

Mitigation

The vulnerability is fixed in Keycloak version 26.4.12, released on 2026-05-20 (see RHSA-2026:19597 and RHSA-2026:19596) [2][3]. Users should upgrade to this version or later. No workaround is currently available.

References
  1. cve-details
  2. https://access.redhat.com/errata/RHSA-2026:19597
  3. https://access.redhat.com/errata/RHSA-2026:19596
  4. Unauthorized account takeover via WebAuthn token replay

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.