Main Vulnerability Database Vulnerabilities #VU129680

Incorrect authorization in Webauthn Framework - #VU129680

Published: May 5, 2026

Vulnerability identifier: #VU129680

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-863

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Webauthn Framework

Software vendor:
Web-Authentication

Description

The vulnerability allows an attacker with physical access to bypass user verification requirements.

The vulnerability exists due to incorrect authorization in Webauthn\Bundle\Policy\ClientOverridePolicy and the request options builders when processing client-supplied userVerification overrides in assertion or attestation options requests. An attacker with physical access can supply a crafted userVerification value to bypass user verification requirements.

User interaction is required, and exploitation requires possession of the victim's authenticator or an unlocked device.

Remediation

Install security update from vendor's website.

External links

https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-h4fw-6r7f-w494

Incorrect authorization in Webauthn Framework - #VU129680

Description

Remediation

External links

Please verify you're human