{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-37982","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-04-06T07:48:39.722Z","datePublished":"2026-05-19T10:52:32.486Z","dateUpdated":"2026-05-20T16:08:55.881Z"},"containers":{"cna":{"title":"Keycloak: org.keycloak.authentication: keycloak: unauthorized account takeover via webauthn token replay","metrics":[{"other":{"content":{"value":"Moderate","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.8,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover."}],"affected":[{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-operator-bundle","defaultStatus":"affected","versions":[{"version":"26.4.12-1","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9","defaultStatus":"affected","versions":[{"version":"26.4-17","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9-operator","defaultStatus":"affected","versions":[{"version":"26.4-17","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4.12","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","defaultStatus":"unaffected","packageName":"rhbk/keycloak-rhel9","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:19596","name":"RHSA-2026:19596","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:19597","name":"RHSA-2026:19597","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/security/cve/CVE-2026-37982","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455329","name":"RHBZ#2455329","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-05-19T00:00:00.000Z","workarounds":[{"lang":"en","value":"To mitigate this issue, consider disabling WebAuthn required actions in Keycloak if they are not essential for your deployment. This will prevent the vulnerable token replay mechanism from being exploited. Consult Keycloak documentation for specific configuration steps to disable WebAuthn required actions. Note that applying configuration changes may require a service restart and could impact functionality relying on WebAuthn registration."}],"timeline":[{"lang":"en","time":"2026-04-06T08:00:08.777Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-19T00:00:00.000Z","value":"Made public."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-05-20T16:08:55.881Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-294","lang":"en","description":"CWE-294 Authentication Bypass by Capture-replay"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-19T13:37:29.663865Z","id":"CVE-2026-37982","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-19T13:38:00.236Z"}}]}}