Authentication Flaw in Keycloak Allows Remote Account Takeover
CVE-2026-37982

6.8MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.12
Vendor
CVE Published:
19 May 2026

What is CVE-2026-37982?

A flaw in Keycloak's WebAuthn (Web Authentication) flow presents a risk whereby a remote attacker can exploit the vulnerability to replay 'ExecuteActionsActionToken' tokens. This is achieved by intercepting an execute-actions email link, allowing the attacker to register their own authenticator with the victim's account. As a result, this leads to unauthorized enrollment of a hardware-backed credential, facilitating persistent account takeover. This vulnerability underscores the importance of robust authentication measures and timely updates.

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.12-1

Red Hat build of Keycloak 26.4 26.4-17

Red Hat build of Keycloak 26.4 26.4-17

References

https://access.redhat.com/errata/RHSA-2026:19596
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19597
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-37982
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.