{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-37982", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-06T07:48:39.722Z", "datePublished": "2026-05-19T10:52:32.486Z", "dateUpdated": "2026-05-19T10:52:32.486Z"}, "containers": {"cna": {"title": "Keycloak: org.keycloak.authentication: keycloak: unauthorized account takeover via webauthn token replay", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-37982", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455329", "name": "RHBZ#2455329", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-05-19T00:00:00.000Z", "workarounds": [{"lang": "en", "value": "To mitigate this issue, consider disabling WebAuthn required actions in Keycloak if they are not essential for your deployment. This will prevent the vulnerable token replay mechanism from being exploited. Consult Keycloak documentation for specific configuration steps to disable WebAuthn required actions. Note that applying configuration changes may require a service restart and could impact functionality relying on WebAuthn registration."}], "timeline": [{"lang": "en", "time": "2026-04-06T08:00:08.777Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-05-19T00:00:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-19T10:52:32.486Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover."}], "id": "CVE-2026-37982", "lastModified": "2026-05-19T12:16:18.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-05-19T12:16:18.610", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-37982"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455329"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "keycloak: org.keycloak.authentication: Keycloak: Unauthorized account takeover via WebAuthn token replay", "id": "2455329", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455329"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "draft"}, "details": ["A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, consider disabling WebAuthn required actions in Keycloak if they are not essential for your deployment. This will prevent the vulnerable token replay mechanism from being exploited. Consult Keycloak documentation for specific configuration steps to disable WebAuthn required actions. Note that applying configuration changes may require a service restart and could impact functionality relying on WebAuthn registration."}, "name": "CVE-2026-37982", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk/keycloak-rhel9", "product_name": "Red Hat Build of Keycloak"}], "public_date": "2026-05-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-37982\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-37982"], "statement": "This vulnerability has a Moderate impact on Red Hat Build of Keycloak (RHBK). A flaw in Keycloak's WebAuthn flow allows an attacker who gains access to an execute-actions email link to replay tokens containing WEBAUTHN_REGISTER or WEBAUTHN_PASSWORDLESS_REGISTER. This enables unauthorized WebAuthn registration with the attacker's authenticator on the victim's account, leading to account takeover. Exploitation requires WebAuthn required actions to be enabled and the email link to be compromised.", "threat_severity": "Moderate"}

{"created": "2026-05-19T12:30:05.015786+00:00", "updated": "2026-05-19T12:30:05.015797+00:00", "vendors": [], "weaknesses": ["CWE-1025", "CWE-602"]}