Listen to this Post
Intro: How CVE-2026-37982 Works
CVE-2026-37982 is an authentication vulnerability in Keycloak that stems from the incorrect handling of single-use tokens within the WebAuthn (Web Authentication) flow. The core of the issue lies in the `canUseTokenRepeatedly()` function, which is responsible for determining whether a specific `ExecuteActionsActionToken` can be reused. Under normal operation, a required-action token, such as one for registering a WebAuthn authenticator, is intended to be a one-time use credential. When a user requests a password reset or a new authenticator, Keycloak generates a unique token and sends it via email as part of an “execute-actions” email link. Once the user clicks the link and completes the required action, the token is consumed and should become invalid.
However, the vulnerable logic incorrectly marks certain `ExecuteActionsActionToken` instances, particularly those associated with WebAuthn actions like `WEBAUTHN_REGISTER` or WEBAUTHN_PASSWORDLESS_REGISTER, as reusable. This flaw allows a man-in-the-middle (MITM) attacker who can intercept or gain access to the victim’s email to capture the “execute-actions” link. The attacker can then replay the captured token repeatedly, even after the victim has successfully used it.
By replaying the token within the WebAuthn flow, an attacker can trigger a new registration ceremony with Keycloak. The server, treating the replayed token as valid, will accept the attacker’s hardware-backed authenticator (such as a YubiKey or Trusted Platform Module) and enroll it into the victim’s account. This enrollment does not notify the user and does not invalidate the victim’s existing authentication methods. As a result, the attacker gains a persistent, hardware-backed backdoor into the victim’s account, allowing them to bypass password requirements and authentication policies indefinitely.
The issue is not limited to WebAuthn; any required action implemented via `RequiredActionFactory` and exposed through the “execute-actions” email flow inherits the same incorrect one-time-use semantics. This includes flows for TOTP enrollment, account deletion, and other sensitive account management actions, greatly expanding the attack surface beyond just WebAuthn. The attack requires user interaction in the form of the victim requesting a WebAuthn enrollment action, and the attacker must intercept the resulting email link. The vulnerability has been patched in Keycloak versions 26.4.12 and 26.6.2.
DailyCVE Form
Platform: Red Hat Keycloak
Version: 26.4.x prior 26.4.12
Vulnerability : WebAuthn Token Replay
Severity: 7.6 High (CVSS)
date: May 19, 2026
Prediction: May 20, 2026 (Patched)
Analytics: What Undercode Say
The EPSS (Exploit Prediction Scoring System) probability for this vulnerability is exceptionally low, currently at 0.02%, placing it in the 5th percentile of all known vulnerabilities. However, this low probability does not reflect the potential impact if exploited. The primary attack vector is Network, with High attack complexity due to the requirement of intercepting a specific email link and the prerequisite that WebAuthn actions be enabled. The vulnerability is considered to have a High impact on both confidentiality and integrity, with No impact on availability. Red Hat has released a security advisory (RHSA-2026:19597) and new container images for the Keycloak 26.4.12 Operator and server.
To verify if a system is affected, the following command can be used to check the Keycloak version running in a Podman or Docker container:
Check Keycloak version in a container podman exec <keycloak_container_id> /opt/keycloak/bin/kc.sh version Expected vulnerable output example: Keycloak 26.4.1 Expected patched output: Keycloak 26.4.12
For a deployed Keycloak instance accessible via API, the version can be queried using the server info endpoint:
Query server version from the management endpoint curl -s -k https://<KEYCLOAK_HOST>/realms/master/.well-known/openid-configuration | jq -r '.issuer'
Exploit:
A successful exploitation chain proceeds as follows:
- Prerequisite: The attacker gains access to a victim’s email inbox (e.g., via compromise) and identifies a pending “execute-actions” email link for registering a WebAuthn authenticator.
- Capture: The attacker extracts the full URL from the email. This URL contains the `ExecuteActionsActionToken` as a path parameter.
Example token pattern:
https://<KEYCLOAK_HOST>/realms/<REALM>/login-actions/required-action?execution=WEBAUTHN_REGISTER&client_id=<CLIENT>&tab_id=<TAB_ID>
(Note: The actual token is embedded within a longer session path, not directly as a query param in the email link; the attacker intercepts the HTTP request containing the token to replay it).
3. First Click (Victim): The victim clicks the legitimate link, completes the authenticator registration ceremony, and the token is consumed by Keycloak. The account now has the victim’s authenticator enrolled.
4. Replay (Attacker): Before the token’s absolute expiration time (if any), the attacker replays the exact captured token to Keycloak. This is typically done by crafting a new HTTP GET request to the same endpoint as the original link, using the same token value. Because the `canUseTokenRepeatedly()` function returns `true` for this token type, Keycloak accepts it as valid.
5. Attacker Registration: Keycloak presents the attacker with the WebAuthn registration ceremony. The attacker uses their own hardware authenticator to complete the ceremony.
6. Takeover: Keycloak successfully enrolls the attacker’s authenticator into the victim’s user account. The attacker now possesses a persistent hardware-backed credential that grants them complete access to the victim’s account without needing a password.
Protection:
Immediate Patching: Upgrade Keycloak to a patched version as published in the security advisory. The fixed versions are Keycloak 26.4.12 or Keycloak 26.6.2 (or any later release).
Temporary Mitigation: If patching cannot be performed immediately, disable WebAuthn required actions in the Keycloak admin console if they are not business-critical. Navigate to Authentication → Required Actions and disable `webauthn-register` and webauthn-passwordless-register. This prevents new registration flows, breaking the attack path. Note that this will impact any functionality relying on WebAuthn enrollment.
Network-Level Workarounds: Implement strict email filtering and monitoring to detect the exfiltration of “execute-actions” links. Consider using a web application firewall (WAF) to inspect and rate-limit requests to `/login-actions/required-action` endpoints. However, these are partial mitigations and do not address the root cause.
Impact:
Successful exploitation of CVE-2026-37982 allows an attacker to achieve a persistent, silent account takeover. By enrolling their own hardware-bound authenticator (e.g., a security key, TPM, or biometric device), the attacker bypasses all password-based authentication mechanisms and second-factor requirements except those enforced after the vulnerable enrollment flow. The victim retains full access to their account, leading to a situation of ambiguous access, where both parties can log in without the other’s knowledge. This is particularly devastating for privileged accounts (administrators) or sensitive applications, as the attacker can maintain access even if the victim changes their password or other credentials. The vulnerability has a High impact on both confidentiality and integrity, as the attacker can read and modify all data associated with the compromised account. There is no direct impact on availability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
