GHSA-w4p5-rfh6-cwrvMediumCVSS 6.8

Keycloak: Unauthorized account takeover via WebAuthn token replay

Published
May 19, 2026
Last Modified
June 4, 2026

🔗 CVE IDs covered (1)

📋 Description

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay ExecuteActionsActionToken tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.

🎯 Affected products1

  • maven/org.keycloak:keycloak-services:< 26.6.2

🔗 References (9)