CVE-2026-30964 Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowedorigins is configured, CheckAllowedOrigins reduces URL-like values to their host component and...

CVE-2026-30964 Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowedorigins is configured, CheckAllowedOrigins reduces URL-like values to their host component and...

CVE-2026-30964

The connected GHSA entry describes a concrete vulnerability in Webauthn Framework: when allowed_origins is configured, CheckAllowedOrigins reduces URL-like origins to their host, causing mismatched origins (scheme/port) to be treated as the same host. This bypasses the strict origin validation re...

CVE-2026-30964 Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowedorigins is configured, CheckAllowedOrigins reduces URL-like values to their host component and...

GHSA-F7PM-6HR8-7GGM Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

Summary When allowedorigins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. Details CheckAllowedOrigins stores each...

EUVD-2026-10705

Webauthn Framework: allowedorigins collapses URL-like origins to host-only values, bypassing exact origin validation...

Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

Summary When allowedorigins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. Details CheckAllowedOrigins stores each...

PT-2026-24193

Name of the Vulnerable Software and Affected Versions web-auth/webauthn-lib versions prior to 5.2.4 Description The software’s origin validation process, when using the allowed origins configuration, reduces URL-like values to their host component, accepting matches based solely on the host. This...

Webauthn Framework 访问控制错误漏洞

Webauthn Framework is an open-source authentication mechanism for Web-Authentication. It enables web applications to create and use powerful, proven, scoped, public-key-based credentials for strong user authentication. Versions of Webauthn Framework prior to 5.2.4 contained an access control...

EUVD-2021-1997

Malware in sbrugna...

CVE-2021-38299

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence...

Username Enumeration

web-auth/webauthn-framework and web-auth/webauthn-lib are vulnerable to Username Enumeration. The vulnerability is due to the ProfileBasedRequestOptionsBuilder method returning allowedCredentials without any credentials if no username was found. This allows an attacker to enumerate valid username...

Insecure Access Control

web-auth/webauthn-framework has insecure access control. The vulnerability exists due to a lack of check of user presence allowing an attacker to login to vulnerable service...

CVE-2021-38299

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence...

CVE-2021-38299

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence...

Webauthn-Framework 授权问题漏洞

Webauthn-Framework is an authentication mechanism. It is used by Web applications to create and use strong, proven, scoped, public-key based credentials for strong authentication of users. Webauthn-Framework suffers from a security vulnerability that allows an attacker in control of a user's syst...