CVE-2026-46419: Impersonation in Yubico webauthn-server-core
Platform
java
Component
yubico/java-webauthn-server
Fixed in
2.8.2
CVE-2026-46419 affects Yubico webauthn-server-core versions 2.8.0 through 2.8.2. This vulnerability stems from an incorrect return value check within the second factor authentication flow, potentially allowing an attacker to impersonate legitimate users. The flaw can lead to unauthorized access and compromise of systems relying on this component. A fix is available in version 2.8.2.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The core impact of CVE-2026-46419 is the potential for impersonation. An attacker exploiting this vulnerability could bypass the second factor authentication process, effectively gaining access to accounts as if they were the legitimate user. This could lead to data breaches, unauthorized modifications to system configurations, and potentially, complete system compromise. The blast radius extends to any system or application relying on Yubico webauthn-server-core for authentication, particularly those using the second factor flow. While no specific real-world precedents are immediately apparent, the ability to bypass multi-factor authentication is a significant security risk, comparable to vulnerabilities that weaken authentication mechanisms.
Exploitation Context
CVE-2026-46419 was published on 2026-05-14. Its severity is rated HIGH (CVSS 7.5). There are currently no public proof-of-concept exploits available. The EPSS score is pending evaluation. No active campaigns targeting this vulnerability have been observed at the time of writing, but the potential for impersonation warrants proactive mitigation.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-46419 is to upgrade to Yubico webauthn-server-core version 2.8.2 or later. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider implementing stricter access controls and monitoring authentication logs for suspicious activity. While a WAF or proxy cannot directly prevent this impersonation, they can be configured to detect and block unusual authentication patterns. After upgrading, verify the fix by attempting a second-factor authentication flow and confirming that the return value check is functioning as expected.
How to fix
Actualice a la versión 2.8.2 o posterior para corregir la vulnerabilidad de impersonación. Esta actualización corrige una verificación incorrecta del valor de retorno de una función en el flujo de segundo factor, mitigando el riesgo de ataques de suplantación de identidad.
Frequently asked questions
What is CVE-2026-46419 — Impersonation in Yubico webauthn-server-core?
CVE-2026-46419 is a HIGH severity vulnerability in Yubico webauthn-server-core versions 2.8.0–2.8.2. It allows an attacker to impersonate users due to an incorrect return value check in the second factor authentication flow, potentially bypassing authentication.
Am I affected by CVE-2026-46419 in Yubico webauthn-server-core?
If you are using Yubico webauthn-server-core versions 2.8.0, 2.8.1, or 2.8.2, you are potentially affected by this vulnerability. Upgrade to version 2.8.2 or later to mitigate the risk.
How do I fix CVE-2026-46419 in Yubico webauthn-server-core?
The recommended fix is to upgrade to Yubico webauthn-server-core version 2.8.2 or a later version. If an immediate upgrade is not possible, implement stricter access controls and monitor authentication logs.
Is CVE-2026-46419 being actively exploited?
As of the current assessment, there are no reports of CVE-2026-46419 being actively exploited. However, the potential for impersonation warrants proactive mitigation.
Where can I find the official Yubico advisory for CVE-2026-46419?
Please refer to the Yubico security advisory page for the most up-to-date information and official announcements regarding CVE-2026-46419: [https://www.yubico.com/security/advisories/](https://www.yubico.com/security/advisories/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Scan your Java / Maven project now — no account
Upload your pom.xml and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...