Skip to main content

Webauthn Server Core

1 CVEs product

Monthly

CVE-2026-46419 HIGH PATCH This Week

Authentication bypass in Yubico java-webauthn-server (webauthn-server-core) 2.8.0 through 2.8.1 allows an attacker holding any valid registered credential to impersonate other users during the second-factor flow. The flaw stems from an unchecked return value in finishAssertion that accepts a successful authentication result even when the authenticated credential belongs to a different user than the one named in StartAssertionOptions.username. No public exploit identified at time of analysis, and EPSS is very low (0.01%), but CISA SSVC rates the technical impact as total.

Information Disclosure Webauthn Server Core
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication bypass in Yubico java-webauthn-server (webauthn-server-core) 2.8.0 through 2.8.1 allows an attacker holding any valid registered credential to impersonate other users during the second-factor flow. The flaw stems from an unchecked return value in finishAssertion that accepts a successful authentication result even when the authenticated credential belongs to a different user than the one named in StartAssertionOptions.username. No public exploit identified at time of analysis, and EPSS is very low (0.01%), but CISA SSVC rates the technical impact as total.

Information Disclosure Webauthn Server Core
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy