📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global phishing Cross-sector HIGH 2h Global apt Education CRITICAL 1h Global vulnerability Enterprise Software / ERP Systems CRITICAL 2h Global vulnerability IT Infrastructure CRITICAL 3h Global vulnerability Technology and Software Development HIGH 4h Global vulnerability Enterprise IT and Government CRITICAL 4h Global ransomware Multiple Sectors / Enterprise CRITICAL 5h Global general Technology and Legal MEDIUM 6h Global ransomware Financial Services / Cryptocurrency CRITICAL 6h Global general Industrial Control Systems / Operational Technology HIGH 7h Global phishing Cross-sector HIGH 2h Global apt Education CRITICAL 1h Global vulnerability Enterprise Software / ERP Systems CRITICAL 2h Global vulnerability IT Infrastructure CRITICAL 3h Global vulnerability Technology and Software Development HIGH 4h Global vulnerability Enterprise IT and Government CRITICAL 4h Global ransomware Multiple Sectors / Enterprise CRITICAL 5h Global general Technology and Legal MEDIUM 6h Global ransomware Financial Services / Cryptocurrency CRITICAL 6h Global general Industrial Control Systems / Operational Technology HIGH 7h Global phishing Cross-sector HIGH 2h Global apt Education CRITICAL 1h Global vulnerability Enterprise Software / ERP Systems CRITICAL 2h Global vulnerability IT Infrastructure CRITICAL 3h Global vulnerability Technology and Software Development HIGH 4h Global vulnerability Enterprise IT and Government CRITICAL 4h Global ransomware Multiple Sectors / Enterprise CRITICAL 5h Global general Technology and Legal MEDIUM 6h Global ransomware Financial Services / Cryptocurrency CRITICAL 6h Global general Industrial Control Systems / Operational Technology HIGH 7h
Vulnerabilities

CVE-2026-37982

Medium
Published: May 19, 2026  ·  Modified: May 19, 2026  ·  Source: NVD
CVSS v3
6.8
🔗 NVD Official
📄 Description (English)

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.

🤖 AI Executive Summary

CVE-2026-37982 is a critical authentication bypass vulnerability in Keycloak affecting WebAuthn token replay mechanisms. An attacker can intercept execute-actions email links to register unauthorized authenticators on victim accounts, enabling persistent account takeover without requiring the victim's password. This vulnerability poses severe risk to organizations using Keycloak for identity and access management, particularly those managing sensitive government and financial systems.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 19, 2026 16:48
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses critical risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), and healthcare organizations using Keycloak for identity management. The ability to persistently compromise accounts through WebAuthn token replay directly threatens SAMA's cybersecurity framework requirements for financial institutions. Government entities managing citizen services and healthcare providers storing sensitive patient data face elevated risk of unauthorized access and data breach. Telecom operators (STC, Mobily) and energy sector organizations using Keycloak for employee/customer authentication are also at significant risk.
🏢 Affected Saudi Sectors
Banking and Financial Services (SAMA-regulated) Government and Public Administration (NCA oversight) Healthcare and Medical Services Telecommunications (STC, Mobily, Zain) Energy and Utilities (ARAMCO, power utilities) Education (universities using Keycloak for SSO) Insurance E-commerce and Retail
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Audit all Keycloak instances in your environment to identify WebAuthn-enabled realms and applications

2. Review email logs for suspicious execute-actions token usage patterns (2-3 months historical data)

3. Force re-authentication for all users with WebAuthn authenticators registered

4. Disable WebAuthn functionality temporarily if critical systems are affected

5. Monitor for unauthorized authenticator registrations in audit logs



PATCHING GUIDANCE:

- No official patch currently available; monitor Keycloak security advisories daily

- Implement vendor communication protocol with Keycloak project for patch timeline

- Prepare change management procedures for emergency patching once available



COMPENSATING CONTROLS:

1. Implement email security controls: DMARC/SPF/DKIM to prevent email interception

2. Add IP-based restrictions on execute-actions token validation (whitelist trusted networks)

3. Implement short token expiration windows (5-10 minutes maximum)

4. Require additional verification step before WebAuthn registration (SMS/OTP confirmation)

5. Enable detailed audit logging for all authenticator registration events

6. Implement rate limiting on execute-actions endpoints



DETECTION RULES:

- Alert on multiple WebAuthn registrations from different IP addresses for same user

- Monitor for execute-actions tokens used outside normal business hours

- Track failed WebAuthn registration attempts followed by successful ones

- Flag tokens reused multiple times (replay detection)

- Alert on authenticator registrations without corresponding user action in UI logs
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. تدقيق جميع مثيلات Keycloak في بيئتك لتحديد المجالات والتطبيقات المفعلة لـ WebAuthn

2. مراجعة سجلات البريد الإلكتروني للأنماط المريبة لاستخدام رموز الإجراءات المنفذة (بيانات تاريخية 2-3 أشهر)

3. فرض إعادة المصادقة لجميع المستخدمين الذين لديهم أجهزة مصادقة WebAuthn مسجلة

4. تعطيل وظيفة WebAuthn مؤقتاً إذا تأثرت الأنظمة الحرجة

5. مراقبة تسجيلات أجهزة المصادقة غير المصرح بها في سجلات التدقيق



إرشادات التصحيح:

- لا يوجد تصحيح رسمي متاح حالياً؛ راقب مستشارات أمان Keycloak يومياً

- تنفيذ بروتوكول الاتصال مع مشروع Keycloak لجدول زمني للتصحيح

- تحضير إجراءات إدارة التغيير للتصحيح الطارئ بمجرد توفره



الضوابط البديلة:

1. تنفيذ ضوابط أمان البريد الإلكتروني: DMARC/SPF/DKIM لمنع اعتراض البريد

2. إضافة قيود قائمة على IP لتحقق رموز الإجراءات المنفذة (قائمة بيضاء للشبكات الموثوقة)

3. تنفيذ نوافذ انتهاء صلاحية الرموز القصيرة (5-10 دقائق كحد أقصى)

4. طلب خطوة تحقق إضافية قبل تسجيل WebAuthn (تأكيد SMS/OTP)

5. تفعيل تسجيل التدقيق التفصيلي لجميع أحداث تسجيل جهاز المصادقة

6. تنفيذ تحديد معدل على نقاط نهاية الإجراءات المنفذة



قواعد الكشف:

- تنبيه عند تسجيلات WebAuthn متعددة من عناوين IP مختلفة لنفس المستخدم

- مراقبة رموز الإجراءات المنفذة المستخدمة خارج ساعات العمل العادية

- تتبع محاولات تسجيل WebAuthn الفاشلة متبوعة بنجاح

- تنبيه الرموز المستخدمة عدة مرات (كشف إعادة التشغيل)

- تنبيه تسجيلات جهاز المصادقة بدون إجراء مستخدم مقابل في سجلات واجهة المستخدم
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies (unauthorized authenticator registration violates access control) ECC 2024 A.8.2.1 - User Authentication (WebAuthn token replay undermines authentication integrity) ECC 2024 A.8.2.3 - Password Management (persistent account takeover without password compromise) ECC 2024 A.12.4.1 - Event Logging (requires detection of unauthorized registration attempts)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (Keycloak systems managing critical authentication) SAMA CSF PR.AC-1 - Access Control (unauthorized authenticator enrollment) SAMA CSF PR.AC-2 - Physical/Logical Access (account takeover capability) SAMA CSF DE.CM-1 - Detection Processes (monitoring for token replay attacks) SAMA CSF RS.MI-2 - Incident Response (account compromise investigation)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control (authentication mechanism compromise) ISO 27001:2022 A.8.2 - User Authentication (WebAuthn token vulnerability) ISO 27001:2022 A.8.3 - Access Rights Management (unauthorized credential enrollment) ISO 27001:2022 A.12.4 - Logging (audit trail of authenticator registration) ISO 27001:2022 A.16.1 - Incident Management (account takeover incidents)
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default Credentials (if Keycloak manages payment system access) PCI DSS 6.5.10 - Authentication Mechanisms (WebAuthn token replay vulnerability) PCI DSS 7.1 - Access Control (unauthorized account access through compromised authenticators) PCI DSS 10.2 - User Identification (audit logging of authenticator registration)
📊 CVSS Score
6.8
/ 10.0 — Medium
📊 CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack VectorN — None / Network
Attack ComplexityH — High
Privileges RequiredN — None / Network
User InteractionR — Required
ScopeU — Unchanged
ConfidentialityH — High
IntegrityH — High
AvailabilityN — None / Network
📋 Quick Facts
Severity Medium
CVSS Score6.8
EPSS0.05%
Exploit No
Patch ✗ No
Published 2026-05-19
Source Feed nvd
🇸🇦 Saudi Risk Score
8.2
/ 10.0 — Saudi Risk
Priority: CRITICAL
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.