CVE-2026-46419 Overview
CVE-2026-46419 affects Yubico webauthn-server-core (also known as java-webauthn-server) versions 2.8.0 through 2.8.1. The library incorrectly checks a function's return value during the second factor authentication flow. This logic error allows an attacker to impersonate a legitimate user when the affected code path is reached. The flaw is tracked as [CWE-253: Incorrect Check of Function Return Value]. Yubico addressed the issue in release 2.8.2 and documented the fix in Yubico Security Advisory YSA-2026-02.
Critical Impact
An attacker can bypass second factor verification and impersonate a target user, compromising confidentiality, integrity, and availability of authenticated sessions.
Affected Products
- Yubico webauthn-server-core (Java WebAuthn Server) version 2.8.0
- Yubico webauthn-server-core (Java WebAuthn Server) version 2.8.1
- Applications embedding the affected java-webauthn-server library for WebAuthn second factor flows
Discovery Timeline
- 2026-05-14 - CVE-2026-46419 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-46419
Vulnerability Analysis
The webauthn-server-core library implements the server side of the Web Authentication (WebAuthn) specification. In versions 2.8.0 and 2.8.1, the second factor verification flow contains an incorrect check of a function's return value. When that function signals failure through its return value, the calling code does not interpret the result correctly. The flow continues as if verification had succeeded.
The defect maps to [CWE-253]. This class of bug typically arises when a method returns a status indicator that is misread, ignored, or compared against the wrong sentinel. In an authentication context, the consequence is that an unsuccessful cryptographic or policy check is treated as a successful one.
Because WebAuthn second factor flows gate access to authenticated user sessions, the failure produces an authentication bypass. An attacker who can reach the second factor verification step can complete the flow without presenting a valid authenticator assertion for the targeted account.
Root Cause
The root cause is logic in the second factor flow that does not correctly handle the return value of a helper function. Yubico's fix in version 2.8.2 corrects the conditional handling so that failed verifications propagate as authentication errors rather than success.
Attack Vector
The vulnerability is exploitable over the network against any application that uses an affected webauthn-server-core version for second factor authentication. The attacker must already hold valid first factor credentials, such as a username and password, for the targeted account. Attack complexity is high because exploitation depends on reaching the specific code path in the second factor flow. No user interaction with the legitimate account holder is required.
The vulnerability is described in prose only because no public proof-of-concept code is available. Refer to the GitHub release notes for 2.8.2 and the Yubico Security Advisory YSA-2026-02 for vendor technical detail.
Detection Methods for CVE-2026-46419
Indicators of Compromise
- Successful authentication events for accounts where the corresponding WebAuthn authenticator did not produce a matching assertion in device or hardware token logs.
- Second factor finishAssertion calls in application logs that complete without a corresponding client-side authenticator interaction.
- Logins from new devices, geolocations, or IP addresses immediately following first factor authentication for high-value accounts.
Detection Strategies
- Inventory all Java applications and identify those bundling webauthn-server-core or java-webauthn-server at versions 2.8.0 or 2.8.1 using software composition analysis.
- Correlate WebAuthn server-side success events with authenticator-side telemetry, such as YubiKey or platform authenticator usage records, to detect mismatches.
- Alert on second factor success events that lack the expected clientDataJSON and authenticatorData fields or that show anomalous signature counters.
Monitoring Recommendations
- Forward WebAuthn authentication logs to a centralized log platform and retain them for post-incident review.
- Monitor for sudden increases in second factor success rates after deploying or upgrading the library.
- Track signature counter regressions and credential reuse across distinct sessions, which can indicate replay or impersonation attempts.
How to Mitigate CVE-2026-46419
Immediate Actions Required
- Upgrade webauthn-server-core to version 2.8.2 or later in all applications that consume the library.
- Rebuild and redeploy any internal artifacts that statically link or shade the affected library.
- Review authentication logs for the period during which an affected version was deployed and investigate suspicious second factor success events.
Patch Information
Yubico released the fix in java-webauthn-server 2.8.2. Vendor guidance and affected version ranges are published in Yubico Security Advisory YSA-2026-02. Update Maven or Gradle dependency declarations to pull 2.8.2 or a later release in the 2.8.x line.
Workarounds
- Downgrade to a pre-2.8.0 release of webauthn-server-core if upgrading to 2.8.2 is not immediately feasible and the older release is compatible with the application.
- Require an additional out-of-band verification step, such as step-up authentication or transaction signing, for sensitive operations until the patched version is deployed.
- Restrict the application's exposure by limiting second factor endpoints to known networks where operational requirements allow.
# Maven dependency update example
# Replace the existing webauthn-server-core version with the patched release
mvn versions:use-dep-version \
-Dincludes=com.yubico:webauthn-server-core \
-DdepVersion=2.8.2 \
-DforceVersion=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
