PT-2026-44442 · Pypi · Edumfa

Published

2026-05-18

·

Updated

2026-05-18

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Impact

In eduMFA < 2.9.1 userless Passkey/WebAuthn challenges might be replayed and do not expire

Patches

Fixed in eduMFA >= 2.9.1 by adding validity information to the userless challenges.

Workarounds

No known workarounds besides disabling userless login altogether.

Fix

Insufficient Session Expiration

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-613CWE-287

Related Identifiers

GHSA-J5RM-V3VH-VX94

Affected Products

Edumfa