Primary

Context

Yubico WebAuthn Server Core User Impersonation Vulnerability

Vulnerability

A user impersonation vulnerability has been identified in Yubico WebAuthn Server Core versions 2.8.0 prior to 2.8.2. The issue arises in the 'second factor' authentication flow, where the software incorrectly validates return values, allowing an attacker with an existing account to authenticate as another user who lacks a registered WebAuthn credential.

Impact

Exploitation of this vulnerability allows for user impersonation, where an attacker can authenticate as a target user without their consent or knowledge.

Remediation

Users are advised to update to Yubico WebAuthn Server Core version 2.8.2 or 2.9.0 or later. Additionally, if implementing the 'CredentialRepository' or 'UsernameRepository' interfaces, ensure that the methods return unique, non-empty results for registered usernames. Avoid using certain RelyingParty methods that could introduce the vulnerability.

Added: May 14, 2026, 2:26 AM

Updated: May 14, 2026, 2:26 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

4.8

remediation

0.0

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

4.8

remediation

0.0

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Yubico WebAuthn Server Core User Impersonation Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Yubico webauthn-server-core

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating