Executive Summary

CVE-2026-30964 is a vulnerability in the web-auth/webauthn-framework and related packages where the origin validation mechanism was flawed. Specifically, when the allowed_origins configuration is used, the CheckAllowedOrigins component reduced URL-like origins to only their host component, ignoring the scheme (such as HTTP or HTTPS) and port differences.

This means that different origins that share the same host but differ in scheme or port were treated as identical, allowing an attacker to bypass strict origin validation required by the WebAuthn Level 2 specification. For example, an origin like https://example.com:8443 could be incorrectly accepted as https://example.com:9443.

The vulnerability was fixed in version 5.2.4 by rewriting the origin validation to compare full origins including scheme, host, and port, normalizing default ports, and maintaining backward compatibility for host-only origins.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to bypass origin checks during WebAuthn authentication by exploiting the fact that origins with the same host but different schemes or ports are treated as the same. This could lead to unauthorized authentication attempts being accepted.

As a result, an attacker could potentially impersonate a legitimate origin or perform cross-origin attacks, undermining the security guarantees of WebAuthn authentication flows.

The impact is moderate with a CVSS v3 base score of 5.4, indicating that it requires network access and user interaction but no privileges, and it can lead to low confidentiality and integrity impacts.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from improper origin validation in the CheckAllowedOrigins component of web-auth/webauthn-framework and related packages. Detection involves verifying if the system accepts origins that differ only by scheme or port but share the same host, which should not be allowed.

To detect this on your system, you can test WebAuthn authentication requests with clientDataJSON.origin values that have the same host but different schemes or ports than those configured in allowed_origins. If the system accepts these requests, it is vulnerable.

Suggested commands or steps include:

• Craft WebAuthn authentication requests with origins such as https://example.com:8443 and https://example.com:9443 when only one port is allowed.
• Use tools like curl or custom scripts to send authentication requests with manipulated origin headers or clientDataJSON.origin fields.
• Monitor logs for accepted authentication attempts from origins differing only by port or scheme.
• Check the version of web-auth/webauthn-framework, webauthn-lib, or webauthn-symfony-bundle installed; versions prior to 5.2.4 are vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the affected packages to version 5.2.4 or later, where the vulnerability is fixed.

The fix includes strict origin validation that compares scheme, host, and port, normalizes default ports, and enforces HTTPS scheme, preventing origin spoofing or bypasses.

If upgrading immediately is not possible, consider:

• Reviewing and tightening the allowed_origins configuration to avoid ambiguous or host-only entries.
• Temporarily disabling or restricting WebAuthn authentication flows that rely on origin validation until the fix can be applied.
• Monitoring authentication logs for suspicious origin mismatches.

Useful 0 Not Useful 0