Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-19T00:00:00 keycloak: org.keycloak.authentication: Keycloak: Unauthorized account takeover via WebAuthn token replay 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.

This vulnerability has a Moderate impact on Red Hat Build of Keycloak (RHBK). A flaw in Keycloak's WebAuthn flow allows an attacker who gains access to an execute-actions email link to replay tokens containing WEBAUTHN_REGISTER or WEBAUTHN_PASSWORDLESS_REGISTER. This enables unauthorized WebAuthn registration with the attacker's authenticator on the victim's account, leading to account takeover. Exploitation requires WebAuthn required actions to be enabled and the email link to be compromised. To mitigate this issue, consider disabling WebAuthn required actions in Keycloak if they are not essential for your deployment. This will prevent the vulnerable token replay mechanism from being exploited. Consult Keycloak documentation for specific configuration steps to disable WebAuthn required actions. Note that applying configuration changes may require a service restart and could impact functionality relying on WebAuthn registration. Red Hat build of Keycloak 26.4 2026-05-20T00:00:00Z RHSA-2026:19597 rhbk/keycloak-operator-bundle:26.4.12-1 Red Hat build of Keycloak 26.4 2026-05-20T00:00:00Z RHSA-2026:19597 rhbk/keycloak-rhel9:26.4-17 Red Hat build of Keycloak 26.4 2026-05-20T00:00:00Z RHSA-2026:19597 rhbk/keycloak-rhel9-operator:26.4-17 Red Hat build of Keycloak 26.4.12 2026-05-20T00:00:00Z RHSA-2026:19596 rhbk/keycloak-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-37982 https://nvd.nist.gov/vuln/detail/CVE-2026-37982