{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30964", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:53:48.814Z", "datePublished": "2026-03-10T17:16:46.895Z", "dateUpdated": "2026-03-10T17:57:34.091Z"}, "containers": {"cna": {"title": "Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm"}, {"name": "https://github.com/web-auth/webauthn-framework/commit/535cc3c2dcbd9c3dfd5e00a254ad4a984e5e7839", "tags": ["x_refsource_MISC"], "url": "https://github.com/web-auth/webauthn-framework/commit/535cc3c2dcbd9c3dfd5e00a254ad4a984e5e7839"}, {"name": "https://github.com/web-auth/webauthn-framework/commit/b4cd9a4394c35fcac6080fd2f84f4f58a30abc01", "tags": ["x_refsource_MISC"], "url": "https://github.com/web-auth/webauthn-framework/commit/b4cd9a4394c35fcac6080fd2f84f4f58a30abc01"}], "affected": [{"vendor": "web-auth", "product": "webauthn-framework", "versions": [{"version": "< 5.2.4", "status": "affected"}]}, {"vendor": "web-auth", "product": "webauthn-lib", "versions": [{"version": "< 5.2.4", "status": "affected"}]}, {"vendor": "web-auth", "product": "webauthn-symfony-bundle", "versions": [{"version": "< 5.2.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T17:16:46.895Z"}, "descriptions": [{"lang": "en", "value": "web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4."}], "source": {"advisory": "GHSA-f7pm-6hr8-7ggm", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T17:57:30.314634Z", "id": "CVE-2026-30964", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T17:57:34.091Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30964", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T17:57:30.314634Z"}}}], "references": [{"url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T17:57:22.412Z"}}], "cna": {"title": "Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation", "source": {"advisory": "GHSA-f7pm-6hr8-7ggm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "web-auth", "product": "webauthn-framework", "versions": [{"status": "affected", "version": "< 5.2.4"}]}, {"vendor": "web-auth", "product": "webauthn-lib", "versions": [{"status": "affected", "version": "< 5.2.4"}]}, {"vendor": "web-auth", "product": "webauthn-symfony-bundle", "versions": [{"status": "affected", "version": "< 5.2.4"}]}], "references": [{"url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm", "name": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/web-auth/webauthn-framework/commit/535cc3c2dcbd9c3dfd5e00a254ad4a984e5e7839", "name": "https://github.com/web-auth/webauthn-framework/commit/535cc3c2dcbd9c3dfd5e00a254ad4a984e5e7839", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/web-auth/webauthn-framework/commit/b4cd9a4394c35fcac6080fd2f84f4f58a30abc01", "name": "https://github.com/web-auth/webauthn-framework/commit/b4cd9a4394c35fcac6080fd2f84f4f58a30abc01", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T17:16:46.895Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30964", "state": "PUBLISHED", "dateUpdated": "2026-03-10T17:57:34.091Z", "dateReserved": "2026-03-07T17:53:48.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T17:16:46.895Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:spomky-labs:webauthn-lib:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B3FDA39-7E8E-4393-B618-705FC6E261B5", "versionEndExcluding": "5.2.4", "versionStartIncluding": "5.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:spomky-labs:webauthn-symfony-bundle:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C68F3BB-963D-4216-95DD-7EB4CFF2FAA2", "versionEndExcluding": "5.2.4", "versionStartIncluding": "5.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:spomky-labs:webauthn_framwork:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2D412A1-79BE-433D-9700-ED728B93761C", "versionEndExcluding": "5.2.4", "versionStartIncluding": "5.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4."}, {"lang": "es", "value": "web-auth/webauthn-lib es un conjunto de c\u00f3digo abierto de bibliotecas PHP y un paquete de Symfony para permitir a los desarrolladores integrar ese mecanismo de autenticaci\u00f3n en sus aplicaciones web. Antes de la versi\u00f3n 5.2.4, cuando se configura allowed_origins, CheckAllowedOrigins reduce los valores similares a URL a su componente de host y acepta solo la coincidencia de host. Esto hace que las pol\u00edticas de origen exactas sean imposibles de expresar: las diferencias de esquema y puerto se ignoran silenciosamente. Esta vulnerabilidad se corrige en la versi\u00f3n 5.2.4."}], "id": "CVE-2026-30964", "lastModified": "2026-05-07T18:35:56.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T18:18:55.410", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/web-auth/webauthn-framework/commit/535cc3c2dcbd9c3dfd5e00a254ad4a984e5e7839"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/web-auth/webauthn-framework/commit/b4cd9a4394c35fcac6080fd2f84f4f58a30abc01"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "webauthn-framework", "source": "cna", "vendor": "web-auth"}, "product": "webauthn-framework", "vendor": "web-auth"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "webauthn-lib", "source": "cna", "vendor": "web-auth"}, "product": "webauthn-lib", "vendor": "web-auth"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "webauthn-symfony-bundle", "source": "cna", "vendor": "web-auth"}, "product": "webauthn-symfony-bundle", "vendor": "web-auth"}], "analysis": {"en": {"generated_at": "2026-04-17T11:41:19.730004+00:00", "value": {"mitigation_remediation": ["Upgrade the web-auth/webauthn-framework, web-auth/webauthn-lib, and web-auth/webauthn-symfony-bundle to version 5.2.4 or later.", "Re\u2011evaluate the allowed_origins configuration to ensure it contains fully qualified origins (scheme, host, and port) rather than generic host patterns, and disable any overly permissive entries.", "If an upgrade cannot be performed immediately, temporarily disable Webauthn authentication routes or restrict access to those routes until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Origin Validation Bypass"}, "threat_synthesis": {"affected_systems": "Vulnerable products include the web-auth ecosystem: web-auth/webauthn-framework, web-auth/webauthn-lib, and web-auth/webauthn-symfony-bundle. All versions prior to 5.2.4 are affected. Versions 5.2.4 and later contain the remediation.", "description_and_impact": "The fault lies in the origin validation routine of the web-auth library. When allowed_origins is configured, the code trims any URL-like entry to its host component and verifies a match solely on that host. This behavior overlooks differences in scheme or port, enabling an attacker to supply a forged origin that matches the host but carries a manipulated scheme or port. The consequence is a literal bypass of origin checks, allowing an unauthenticated requester to masquerade as a legitimate origin and potentially obtain or tamper with Webauthn credentials. This flaw, classified as CWE\u2011346, directly undermines the authenticity guarantees that Webauthn purports to provide.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate impact, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to target a deployment that relies on exact origin checks for Webauthn authentication; by sending traffic with a crafted Origin header that matches only the host, the attacker can bypass the intended origin restriction. No additional privileges are required beyond the ability to make HTTP requests to the vulnerable application."}}}}, "created": "2026-03-11T11:44:56.802444+00:00", "updated": "2026-04-17T11:45:06.242922+00:00", "vendors": ["web-auth", "web-auth$PRODUCT$webauthn-framework", "web-auth$PRODUCT$webauthn-lib", "web-auth$PRODUCT$webauthn-symfony-bundle"]}