CVE-2026-46419 Yubico CVE debrief

Who should care

Organizations using Yubico webauthn-server-core / java-webauthn-server in applications that rely on the second-factor authentication flow, especially if deployed versions may be 2.8.0 or 2.8.1.

Technical summary

The vulnerability is a logic error in the second-factor flow: a function return value is checked incorrectly, allowing an attacker to reach an impersonation outcome. The supplied CVSS vector indicates network reachability, low privileges, no user interaction, and high impact to confidentiality, integrity, and availability. Affected versions are 2.8.0 before 2.8.2; the issue is categorized as CWE-253 (Incorrect Check of Function Return Value).

Defensive priority

High. The flaw can enable impersonation in an authentication path, so affected deployments should be prioritized for version verification and upgrade.

Recommended defensive actions

• Upgrade Yubico webauthn-server-core / java-webauthn-server to 2.8.2 or later, per the supplied Yubico release reference.
• Inventory applications and services that depend on this library and confirm whether any deployed instance is running 2.8.0 or 2.8.1.
• Review second-factor authentication integrations after upgrading to confirm expected login and assertion behavior.
• Track the Yubico security advisory and package release notes for any additional guidance tied to the fix.

Evidence notes

Source corpus points to Yubico security advisory YSA-2026-02 and the GitHub release tag 2.8.2 as remediation references. The GitHub Advisory Database entry is marked unreviewed, and the supplied metadata lists CWE-253 with CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 High). The CVE and source item timestamps supplied in the prompt show publication at 2026-05-14T03:32:09Z and modification at 2026-05-14T06:31:32Z. No KEV entry is present in the supplied data.

Official resources