CVE-2026-30964 Overview
CVE-2026-30964 is an Origin Validation Bypass vulnerability in web-auth/webauthn-lib, an open source set of PHP libraries and a Symfony bundle that allows developers to integrate WebAuthn authentication mechanisms into their web applications. Prior to version 5.2.4, when allowed_origins is configured, the CheckAllowedOrigins function reduces URL-like values to their host component and accepts on host match alone. This flawed validation makes exact origin policies impossible to express, as scheme and port differences are silently ignored.
Critical Impact
Applications relying on strict origin validation for WebAuthn authentication may accept credentials from unintended origins, potentially allowing attackers to bypass authentication controls through scheme or port manipulation.
Affected Products
- web-auth/webauthn-lib versions prior to 5.2.4
- web-auth/webauthn-framework versions prior to 5.2.4
- Symfony applications using affected webauthn-lib versions
Discovery Timeline
- 2026-03-10 - CVE-2026-30964 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30964
Vulnerability Analysis
This vulnerability stems from improper origin validation in the WebAuthn authentication flow. The CheckAllowedOrigins function is designed to validate that authentication requests originate from trusted sources by comparing the origin against a configured allowlist. However, the implementation incorrectly reduces full URL values to just the host component before performing the comparison.
This behavior means that when an administrator configures allowed_origins to accept only https://example.com:443, the validation will also accept requests from http://example.com (different scheme) or https://example.com:8443 (different port). This directly violates the Same-Origin Policy principles that WebAuthn security relies upon.
The vulnerability is classified under CWE-346 (Origin Validation Error), which describes flaws where a product does not properly verify that the source of data or communication is valid.
Root Cause
The root cause is the flawed parsing logic within the CheckAllowedOrigins validation function. Instead of comparing the complete origin (scheme + host + port), the function extracts only the hostname component and performs matching against that isolated value. This reductive approach fails to account for the security-critical nature of scheme and port in origin determination, as defined by web security standards.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker could exploit this vulnerability by hosting a malicious page on a domain that shares the same hostname as a legitimate allowed origin but uses a different scheme (HTTP vs HTTPS) or port. When a victim visits the attacker's page and attempts to authenticate using WebAuthn, the vulnerable library may incorrectly accept the authentication assertion despite originating from an unauthorized origin.
For example, if an application allows https://app.example.com, an attacker controlling http://app.example.com or https://app.example.com:8080 could potentially bypass origin checks. This could facilitate credential theft or authentication bypass scenarios.
The vulnerability mechanism involves improper URL parsing in the origin validation logic. When a URL like https://example.com:443 is provided to the CheckAllowedOrigins function, it incorrectly strips the scheme and port, comparing only example.com against the allowlist. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-30964
Indicators of Compromise
- WebAuthn authentication requests originating from unexpected schemes (HTTP instead of HTTPS)
- Authentication attempts from non-standard ports that should not be permitted
- Unusual origin headers in WebAuthn ceremony requests that differ in scheme or port from configured allowed origins
- Log entries showing successful authentications from origins not explicitly configured in allowlist
Detection Strategies
- Review application logs for WebAuthn authentication requests and compare origin headers against your strict origin policy
- Implement additional origin validation at the application layer that performs full URL comparison including scheme and port
- Audit your allowed_origins configuration to identify where scheme or port restrictions are critical to security
- Deploy web application firewall rules to flag WebAuthn requests with origin mismatches
Monitoring Recommendations
- Enable verbose logging for WebAuthn authentication events to capture full origin information
- Set up alerts for authentication attempts from origins that match hostname but differ in scheme or port
- Monitor for increases in failed or suspicious authentication patterns that may indicate exploitation attempts
- Regularly audit WebAuthn-related security logs for anomalies in origin validation
How to Mitigate CVE-2026-30964
Immediate Actions Required
- Upgrade web-auth/webauthn-lib to version 5.2.4 or later immediately
- Review all allowed_origins configurations to understand current exposure
- Audit recent authentication logs for any suspicious origin patterns
- Consider implementing additional application-layer origin validation as defense in depth
Patch Information
The vulnerability is fixed in version 5.2.4 of web-auth/webauthn-lib. The fix ensures that origin validation properly compares the complete origin including scheme, host, and port components rather than just the hostname.
Security patches are available via the following commits:
For complete details, refer to the GitHub Security Advisory GHSA-f7pm-6hr8-7ggm.
Workarounds
- If immediate upgrade is not possible, implement strict origin validation at the reverse proxy or WAF level
- Configure web server rules to reject requests with unexpected origin headers before they reach the application
- Temporarily restrict WebAuthn functionality to environments where origin bypass risk is minimal
- Add application-level middleware that performs full origin comparison including scheme and port validation
# Upgrade web-auth/webauthn-lib via Composer
composer require web-auth/webauthn-lib:^5.2.4
# Verify the installed version
composer show web-auth/webauthn-lib | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
