CVE-2026-46419

Vulnerability

Overview

CVE-2026-46419 affects Yubico's webauthn-server-core (java-webauthn-server) versions 2.8.0 through 2.8.1, and several alpha/RC releases. The bug occurs when the server processes a second-factor (non-passkey) WebAuthn authentication attempt. The function responsible for checking the user's credential presence returns a value that is not properly validated, allowing the server to proceed with authentication even when the target user has no registered credential. [1]

Attack

Vector and Prerequisites

Exploitation requires the attacker to have an existing account on the relying party's system. The relying party must use usernames to identify users and allow authentication attempts against usernames that lack a WebAuthn user handle in the credential repository. Additionally, the implementation must use the second-factor flow rather than the passkey flow. Under these conditions, an attacker can authenticate as any user who does not have a registered WebAuthn credential. [1]

Impact

A successful attack results in user impersonation: the attacker gains access to the target user's account without possessing their credentials. This breaks the authentication guarantee provided by WebAuthn and can lead to unauthorized data access, privilege escalation, or further compromise within the relying party's application. [1]

Mitigation

Yubico released version 2.8.2 of webauthn-server-core to fix the return-value check. All affected production versions (2.8.0 through 2.8.1) and pre-release versions listed in the advisory should be updated immediately. Users still on versions 2.6.0 or 2.7.0 are not affected. No Yubico hardware products are impacted. [1] [2]