A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay ExecuteActionsActionToken tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.
{
"github_reviewed_at": "2026-06-04T15:35:19Z",
"nvd_published_at": "2026-05-19T12:16:18Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-294"
],
"severity": "MODERATE"
}