Medium severity5.4NVD Advisory· Published Mar 10, 2026· Updated May 7, 2026
CVE-2026-30964
CVE-2026-30964
Description
web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
web-auth/webauthn-frameworkPackagist | >= 5.2.0, < 5.2.4 | 5.2.4 |
web-auth/webauthn-libPackagist | >= 5.2.0, < 5.2.4 | 5.2.4 |
web-auth/webauthn-symfony-bundlePackagist | >= 5.2.0, < 5.2.4 | 5.2.4 |
Affected products
15- cpe:2.3:a:spomky-labs:webauthn_framwork:*:*:*:*:*:*:*:*Range: >=5.2.0,<5.2.4
- cpe:2.3:a:spomky-labs:webauthn-symfony-bundle:*:*:*:*:*:*:*:*Range: >=5.2.0,<5.2.4
- osv-coords10 versionspkg:apk/chainguard/nextcloud-server-30pkg:apk/chainguard/nextcloud-server-31pkg:apk/chainguard/nextcloud-server-32pkg:apk/chainguard/nextcloud-server-33pkg:apk/wolfi/nextcloud-server-31pkg:apk/wolfi/nextcloud-server-32pkg:apk/wolfi/nextcloud-server-33pkg:composer/web-auth/webauthn-frameworkpkg:composer/web-auth/webauthn-libpkg:composer/web-auth/webauthn-symfony-bundle
< 30.0.17-r2+ 9 more
- (no CPE)range: < 30.0.17-r2
- (no CPE)range: < 31.0.14-r2
- (no CPE)range: < 32.0.6-r3
- (no CPE)range: < 33.0.0-r1
- (no CPE)range: < 31.0.14-r2
- (no CPE)range: < 32.0.6-r3
- (no CPE)range: < 33.0.0-r1
- (no CPE)range: >= 5.2.0, < 5.2.4
- (no CPE)range: >= 5.2.0, < 5.2.4
- (no CPE)range: >= 5.2.0, < 5.2.4
- Range: < 5.2.4
- web-auth/webauthn-symfony-bundlev5Range: < 5.2.4
Patches
Vulnerability mechanics
References
5- github.com/web-auth/webauthn-framework/commit/535cc3c2dcbd9c3dfd5e00a254ad4a984e5e7839nvdPatchWEB
- github.com/web-auth/webauthn-framework/commit/b4cd9a4394c35fcac6080fd2f84f4f58a30abc01nvdPatchWEB
- github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggmnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-f7pm-6hr8-7ggmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30964ghsaADVISORY
News mentions
0No linked articles in our index yet.