Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation.
AnalysisAI
Authentication bypass in Yubico java-webauthn-server (webauthn-server-core) 2.8.0 through 2.8.1 allows an attacker holding any valid registered credential to impersonate other users during the second-factor flow. The flaw stems from an unchecked return value in finishAssertion that accepts a successful authentication result even when the authenticated credential belongs to a different user than the one named in StartAssertionOptions.username. No public exploit identified at time of analysis, and EPSS is very low (0.01%), but CISA SSVC rates the technical impact as total.
Technical ContextAI
java-webauthn-server is Yubico's reference Java implementation of the W3C Web Authentication (WebAuthn) Relying Party API, widely embedded in identity providers and applications that adopt passkeys or FIDO2 second-factor authentication. The bug is classified as CWE-253 (Incorrect Check of Function Return Value): the RelyingParty.finishAssertion and RelyingPartyV2.finishAssertion methods fail to enforce that the credential which actually signed the assertion is owned by the username supplied in StartAssertionOptions, so a mismatched-but-otherwise-valid assertion is treated as a successful login. Affected component per NVD CPE is cpe:2.3:a:yubico:webauthn-server-core, versions 2.8.0 up to but not including 2.8.2.
RemediationAI
Vendor-released patch: 2.8.2 - upgrade the webauthn-server-core (java-webauthn-server) dependency to 2.8.2 or later as published at https://github.com/Yubico/java-webauthn-server/releases/tag/2.8.2 and review the advisory at https://www.yubico.com/support/security-advisories/ysa-2026-02/. Until the upgrade is deployed, the compensating control is to validate, in your own application code immediately after calling finishAssertion, that the returned AssertionResult.getUsername() (or getCredential().getUserHandle()) matches the username originally supplied to startAssertion; reject the authentication if they differ. Operators who cannot patch quickly should also consider temporarily disabling WebAuthn second-factor flows for high-value accounts and falling back to an alternative MFA factor, accepting the UX regression, since logging or alerting alone will not prevent impersonation.
Same weakness CWE-253 – Incorrect Check of Function Return Value
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30211
GHSA-wq52-w6cx-5mg2