Main Vulnerability Database SB2026050537

SB2026050537 - Incorrect authorization in Webauthn Framework

Published: May 5, 2026

Security Bulletin ID SB2026050537

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Physical access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect authorization (CVE-ID: N/A)

The vulnerability allows an attacker with physical access to bypass user verification requirements.

The vulnerability exists due to incorrect authorization in Webauthn\Bundle\Policy\ClientOverridePolicy and the request options builders when processing client-supplied userVerification overrides in assertion or attestation options requests. An attacker with physical access can supply a crafted userVerification value to bypass user verification requirements.

User interaction is required, and exploitation requires possession of the victim's authenticator or an unlocked device.

Remediation

Install update from vendor's website.

References

https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-h4fw-6r7f-w494