CVE-2026-30964

Name of the Vulnerable Software and Affected Versions web-auth/webauthn-lib versions prior to 5.2.4

Description The software’s origin validation process, when using the allowed origins configuration, reduces URL-like values to their host component, accepting matches based solely on the host. This prevents the implementation of exact origin policies, as scheme and port differences are ignored. Specifically, the CheckAllowedOrigins component uses parse url() to extract the host from both the configured allowed origins and the incoming clientDataJSON.origin. This reduction allows requests with differing schemes or ports to bypass the intended origin validation. This issue affects deployments utilizing the allowed origins setting and bypasses the exact-origin check required by WebAuthn standards. The vulnerable component is CheckAllowedOrigins.php. The vulnerable parameter is clientDataJSON.origin.

Recommendations Upgrade to version 5.2.4 or later to resolve this issue.