What is the CVSS score of CVE-2026-37982?

CVE-2026-37982 has a CVSS 3.1 base score of 6.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-37982?

Yes, a patch is available for CVE-2026-37982. Update the affected software to the latest version immediately.

Red Hat Keycloak CVE-2026-37982

EUVD-2026-30886 MEDIUM

Authentication Bypass by Capture-replay (CWE-294)

2026-05-19 redhat

GHSA-w4p5-rfh6-cwrv

Authentication Bypass Red Hat

6.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 19, 2026 - 12:03 vuln.today

DescriptionNVD

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay ExecuteActionsActionToken tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.

AnalysisAI

Token replay exploitation in Red Hat Build of Keycloak's WebAuthn flow allows an unauthenticated remote attacker who intercepts an ExecuteActionsActionToken email link to enroll their own hardware-backed WebAuthn authenticator to a victim's account. Successful exploitation bypasses authentication entirely and grants the attacker persistent, credential-backed access to the compromised account. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory