Vulnerability Description
web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Spomky-Labs | Webauthn-Lib | >= 5.2.0, < 5.2.4 |
| Spomky-Labs | Webauthn-Symfony-Bundle | >= 5.2.0, < 5.2.4 |
| Spomky-Labs | Webauthn Framwork | >= 5.2.0, < 5.2.4 |
Related Weaknesses (CWE)
References
- https://github.com/web-auth/webauthn-framework/commit/535cc3c2dcbd9c3dfd5e00a254Patch
- https://github.com/web-auth/webauthn-framework/commit/b4cd9a4394c35fcac6080fd2f8Patch
- https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hrExploitVendor Advisory
- https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hrExploitVendor Advisory
FAQ
What is CVE-2026-30964?
CVE-2026-30964 is a vulnerability with a CVSS score of 5.4 (MEDIUM). web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allow...
How severe is CVE-2026-30964?
CVE-2026-30964 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30964?
Check the references section above for vendor advisories and patch information. Affected products include: Spomky-Labs Webauthn-Lib, Spomky-Labs Webauthn-Symfony-Bundle, Spomky-Labs Webauthn Framwork.