Yubico webauthn-server-core 2.8.0-2.8.1: Return-Value Bypass in 2FA
CVE-2026-46419 Published on May 14, 2026

Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation.

NVD

Vulnerability Analysis

CVE-2026-46419 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:

NETWORK

Attack Complexity:

HIGH

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

Incorrect Check of Function Return Value

The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions. Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.

Affected Versions

Yubico webauthn-server-core:

Version 2.8.0 and below 2.8.2 is affected.

Yubico webauthn-server-core 2.8.0-2.8.1: Return-Value Bypass in 2FACVE-2026-46419 Published on May 14, 2026

Vulnerability Analysis

Weakness Type

Incorrect Check of Function Return Value

Affected Versions

Yubico webauthn-server-core 2.8.0-2.8.1: Return-Value Bypass in 2FA
CVE-2026-46419 Published on May 14, 2026