PatchSiren cyber security CVE debrief
CVE-2026-37982 Red Hat CVE debrief
CVE-2026-37982 describes an authentication weakness in Keycloak's WebAuthn flow where an `ExecuteActionsActionToken` can be replayed. If an attacker intercepts the execute-actions email link, they may be able to register their own authenticator to a victim account, creating a path to unauthorized credential enrollment and persistent account takeover. The supplied NVD snapshot lists the issue as CVSS 3.1 6.8 (Medium).
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.4
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Keycloak administrators, identity and access management teams, and security operators responsible for WebAuthn enrollment, email-driven account actions, and SSO protections should pay attention.
Technical summary
The source description says the flaw allows replay of `ExecuteActionsActionToken` tokens during Keycloak's WebAuthn flow. Because the token can be reused after interception, an attacker who obtains the email link may be able to complete authenticator enrollment for a victim account. NVD maps the issue to CWE-294 and gives the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, indicating remote reachability but a user-interaction requirement.
Defensive priority
Moderate to high for exposed Keycloak deployments. Although user interaction is required and NVD lists the issue as Medium severity, the impact includes authenticator enrollment and account takeover, which can be operationally serious for IAM environments.
Recommended defensive actions
- Review Keycloak instances for any available vendor patches or Red Hat errata tied to CVE-2026-37982.
- Treat execute-actions email links as sensitive, one-time credentials and ensure they are not forwarded or logged unnecessarily.
- Audit recent authenticator enrollments and account recovery or execute-actions events for unexpected activity.
- Harden email access and monitoring, since interception of the execute-actions link is the enabling step described in the source record.
- Revalidate MFA/WebAuthn enrollment workflows and session handling after applying any available remediation.
- Track the Red Hat CVE advisory and Bugzilla reference for vendor-specific guidance and fix status.
Evidence notes
The supplied NVD record for CVE-2026-37982 was published on 2026-05-19 and modified on 2026-05-20, with the source snapshot still marked "Undergoing Analysis." NVD cites Red Hat errata RHSA-2026:19596 and RHSA-2026:19597, a Red Hat CVE advisory page, and a Red Hat Bugzilla ticket as references. The NVD metadata also provides CVSS 3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N and CWE-294.
Official resources
Public CVE record published 2026-05-19 and modified 2026-05-20. In the supplied NVD snapshot, the record was still marked "Undergoing Analysis."