Description
Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation.
Published: 2026-05-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an incorrect check of a function's return value during the second‑factor authentication flow in Yubico webauthn-server-core. This flaw, a return‑value‑check failure (CWE‑253), enables an attacker to bypass the intended verification step and authenticate as a legitimate user, resulting in account impersonation and unauthorized access.

Affected Systems

Yubico webauthn-server-core (java‑webauthn‑server) versions earlier than 2.8.2, specifically 2.8.0 through 2.8.1, are affected. The vulnerability applies to any deployment that uses these library versions in its authentication pipeline.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact potential. Although EPSS data is unavailable and the issue is not listed in CISA's KEV catalog, the nature of the flaw—allowing impersonation during the second‑factor step—means attackers could gain access to user accounts if they can supply a forged or modified second‑factor response. Successful exploitation would give full access to privileged resources controlled by the victim’s account.

Generated by OpenCVE AI on May 14, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Yubico webauthn-server-core to version 2.8.2 or later.
  • Ensure that all integrated client libraries and services are also updated to a compatible version.
  • If an upgrade cannot be performed immediately, validate the response of the second‑factor function before proceeding with authentication and monitor for anomalous authentication attempts.

Generated by OpenCVE AI on May 14, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Yubico
Yubico webauthn-server-core
Vendors & Products Yubico
Yubico webauthn-server-core

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 03:45:00 +0000

Type Values Removed Values Added
Title Impersonation Vulnerability in Yubico WebAuthn Server Core 2.8.0–2.8.1

Thu, 14 May 2026 03:30:00 +0000

Type Values Removed Values Added
References

Thu, 14 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation.
Weaknesses CWE-253
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Yubico Webauthn-server-core
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T13:52:51.531Z

Reserved: 2026-05-13T00:00:00.000Z

Link: CVE-2026-46419

cve-icon Vulnrichment

Updated: 2026-05-14T13:52:48.342Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T02:17:21.917

Modified: 2026-05-14T18:31:45.970

Link: CVE-2026-46419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:02Z

Weaknesses