Description
web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4.
Published: 2026-03-10
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Origin Validation Bypass
Action: Immediate Patch
AI Analysis

Impact

The fault lies in the origin validation routine of the web-auth library. When allowed_origins is configured, the code trims any URL-like entry to its host component and verifies a match solely on that host. This behavior overlooks differences in scheme or port, enabling an attacker to supply a forged origin that matches the host but carries a manipulated scheme or port. The consequence is a literal bypass of origin checks, allowing an unauthenticated requester to masquerade as a legitimate origin and potentially obtain or tamper with Webauthn credentials. This flaw, classified as CWE‑346, directly undermines the authenticity guarantees that Webauthn purports to provide.

Affected Systems

Vulnerable products include the web-auth ecosystem: web-auth/webauthn-framework, web-auth/webauthn-lib, and web-auth/webauthn-symfony-bundle. All versions prior to 5.2.4 are affected. Versions 5.2.4 and later contain the remediation.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate impact, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to target a deployment that relies on exact origin checks for Webauthn authentication; by sending traffic with a crafted Origin header that matches only the host, the attacker can bypass the intended origin restriction. No additional privileges are required beyond the ability to make HTTP requests to the vulnerable application.

Generated by OpenCVE AI on April 17, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the web-auth/webauthn-framework, web-auth/webauthn-lib, and web-auth/webauthn-symfony-bundle to version 5.2.4 or later.
  • Re‑evaluate the allowed_origins configuration to ensure it contains fully qualified origins (scheme, host, and port) rather than generic host patterns, and disable any overly permissive entries.
  • If an upgrade cannot be performed immediately, temporarily disable Webauthn authentication routes or restrict access to those routes until the patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f7pm-6hr8-7ggm Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation
History

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Web-auth
Web-auth webauthn-framework
Web-auth webauthn-lib
Web-auth webauthn-symfony-bundle
Vendors & Products Web-auth
Web-auth webauthn-framework
Web-auth webauthn-lib
Web-auth webauthn-symfony-bundle

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4.
Title Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Web-auth Webauthn-framework Webauthn-lib Webauthn-symfony-bundle
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T17:57:34.091Z

Reserved: 2026-03-07T17:53:48.814Z

Link: CVE-2026-30964

cve-icon Vulnrichment

Updated: 2026-03-10T17:57:22.412Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T18:18:55.410

Modified: 2026-03-11T13:53:20.707

Link: CVE-2026-30964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses