2455329 – (CVE-2026-37982) CVE-2026-37982 keycloak: org.keycloak.authentication: Keycloak: Unauthorized account takeover via WebAuthn token replay

Bug 2455329 (CVE-2026-37982) - CVE-2026-37982 keycloak: org.keycloak.authentication: Keycloak: Unauthorized account takeover via WebAuthn token replay

Summary: CVE-2026-37982 keycloak: org.keycloak.authentication: Keycloak: Unauthorized ...

Keywords:
Status:	NEW
Alias:	CVE-2026-37982
Deadline:	2026-06-23
Product:	Security Response
Classification:	Other
Component:	vulnerability-draft
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-06 08:00 UTC by OSIDB Bzimport
Modified:	2026-05-19 10:45 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-06 08:00:32 UTC

Authentication / credential-enrollment vulnerability in Keycloak’s handling of ExecuteActionsActionToken for WebAuthn flows. The flaw is caused by canUseTokenRepeatedly() treating tokens as reusable when required actions do not mark themselves as one-time, so tokens containing WEBAUTHN_REGISTER or WEBAUTHN_PASSWORDLESS_REGISTER can be replayed within their validity window. When an attacker gains access to an execute-actions email link, they can complete WebAuthn registration with their own authenticator on the victim’s account before the victim uses it. This can be exploited remotely when WebAuthn required actions are enabled and the link is obtained via email interception, log leakage, or mailbox compromise. Successful exploitation results in unauthorized enrollment of a hardware-backed credential, enabling stealthy and persistent account takeover.

Note You need to log in before you can comment on or make changes to this bug.