CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-F66Q-9RF6-8795

GHSA-f66q-9rf6-8795: WebAuthn Re-authentication Freshness Bypass in Flask-Security-Too

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 8, 2026·5 min read·4 visits

Executive Summary (TL;DR)

An authenticated attacker can bypass session freshness gates by submitting their own WebAuthn cryptographic signature inside a victim's stale session, gaining unauthorized access to administrative or sensitive functions.

An authentication freshness bypass vulnerability exists in the WebAuthn re-authentication path of Flask-Security-Too versions 5.8.0 and 5.8.1. The flaw allows an authenticated attacker to elevate the freshness status of a victim session using their own WebAuthn credential, bypassing re-authentication constraints.

Vulnerability Overview

The security package Flask-Security-Too implements WebAuthn support to facilitate passwordless and multi-factor authentication. To secure highly sensitive operations, the library utilizes session freshness validation via the @auth_required(within=...) decorator. When a user attempts to access a protected resource, the server checks if the session was authenticated within a specified time window.

If the session is stale, the application enforces re-authentication before the request can proceed. Users can satisfy this requirement using their registered WebAuthn credentials. The vulnerability resides in this re-authentication workflow and permits an attacker to falsify the freshness status of a session.

The attack surface requires the attacker to be an authenticated user on the same application instance. This vulnerability is classified under CWE-305, allowing an attacker to utilize WebAuthn as an alternate channel to bypass re-authentication requirements.

Root Cause Analysis

The flaw is located in the webauthn_verify_response view within flask_security/webauthn.py. When a re-authentication flow is initiated, the application issues a challenge and expects a cryptographic WebAuthn assertion in response. This response is validated using the WebAuthnSigninResponseForm.

During validation, the form parses the credential identifier from the client's assertion and retrieves the associated database user. However, the backend validation logic fails to check whether this retrieved user matches the active current_user of the session. The signature validation is processed successfully as long as the credential belongs to any valid user in the database.

Because of this validation oversight, once the signature is verified, the server executes session["fs_paa"] = time.time(). This line unconditionally updates the security freshness timestamp on the active session. Consequently, the victim's session is designated as fresh based on the cryptographic proof of the attacker's WebAuthn key.

Code Analysis

The vulnerable code segment demonstrates the absence of identity binding verification. In flask_security/webauthn.py at commit 5c44c76e33a20b67d02115e26d2da4bab18c094e, the application processes the signature validation as follows:

@auth_required(lambda: cv("API_ENABLED_METHODS"))
def webauthn_verify_response(token: str) -> ResponseValue:
    form = t.cast(
        WebAuthnSigninResponseForm, build_form_from_request("wan_signin_response_form")
    )
    # ... verification steps ...
    if form.validate_on_submit():
        # Code updates last use data
        form.cred.lastuse_datetime = _security.datetime_factory()
        _datastore.put(form.cred)
 
        # Unconditional update of session freshness
        session["fs_paa"] = time.time()

The WebAuthnSigninResponseForm.validate method resolves the user object strictly from the credential ID query. It executes self.user = _datastore.find_user_from_webauthn(self.cred). It never compares this self.user instance against the active session user, allowing cross-user re-authentication assertions to succeed.

This behavior contrasts with the patched OAuth flow implemented in a previous release. The OAuth re-authentication path explicitly checks if user and user.email == current_user.email before updating the session freshness parameter. The lack of an equivalent check on the WebAuthn code path leaves the freshness mechanism exposed.

Exploitation

An exploitation sequence requires the attacker to possess an active account on the deployment and a registered WebAuthn credential. The attacker must also have access to the victim's session, which has entered a stale freshness state. This scenario often occurs in shared workstation environments or when session tokens are partially exfiltrated.

The attacker initiates the re-authentication sequence within the victim's session by making a request to the /wan-verify endpoint. The server responds with a WebAuthn challenge wrapped in a temporary state token. Because these state tokens lack user binding, they are highly portable.

Instead of utilizing the victim's credentials, the attacker signs this challenge using their own WebAuthn key. The attacker then submits the assertion back to the endpoint. The backend validates the assertion against the attacker's public key, marks the form as valid, and advances the session freshness timer on the victim's active session.

Impact Assessment

The impact of this security freshness bypass is significant, as it completely subverts the isolation between authentication strengths. Freshness gates are critical defense-in-depth mechanisms designed to protect highly sensitive operations from unauthorized modification. These operations include password resets, multi-factor authentication enrollment, and email modifications.

By leveraging this bypass, an attacker can modify the security parameters of the victim's account. This allows the attacker to register a permanent authenticating credential under their control or change the primary email address. This results in complete and persistent account takeover.

The vulnerability does not allow direct initial access but acts as a privilege escalation and security bypass tool. It elevates a standard, stale session to a fresh administrative-grade session. No user interaction from the victim is required once the session is active.

Remediation & Mitigation

Remediation requires upgrading the flask-security-too package to version 5.8.2 or later. This patch introduces a verification step to ensure the WebAuthn assertion belongs to the active session owner. The security check compares the user object retrieved from the credential with the session's active user identity.

If upgrading immediately is not feasible, deployers should disable WebAuthn re-authentication. This can be accomplished by removing WebAuthn from the allowed verification options in the configuration. Adjust the SECURITY_WAN_ALLOW_AS_VERIFY parameter to exclude WebAuthn verification.

In addition, implementing robust monitoring of the /wan-verify endpoint can help identify anomalous behavior. Security teams should monitor for instances where the authenticated session user differs from the user owner of the WebAuthn credential utilized during re-authentication.

Fix Analysis (1)

Technical Appendix

CVSS Score
5.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Systems

Flask-Security-Too

Affected Versions Detail

Product
Affected Versions
Fixed Version
flask-security-too
pallets-eco
>= 5.8.0, <= 5.8.15.8.2
AttributeDetail
CWE IDCWE-305
Attack VectorNetwork
CVSS Score5.3 (Medium)
Exploit StatusProof-of-Concept Available
ImpactRe-authentication Freshness Bypass
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1556Modify Authentication Process
Credential Access
T1539Steal Web Session Cookie
Credential Access
CWE-305
Authentication Bypass by Alternate Channel

The application processes a WebAuthn signature without validating that the authenticated identity matches the current session user.

References & Sources

  • [1]GitHub Security Advisory GHSA-f66q-9rf6-8795

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•17 minutes ago•GHSA-Q855-8RH5-JFGQ
6.5

GHSA-Q855-8RH5-JFGQ: Missing Authentication and CSRF in ha-mcp bare root settings and policy routes

The ha-mcp add-on for Home Assistant exposes its settings and security policy routes without authentication at the bare root path of TCP port 9583. This exposure allows unauthorized adjacent network clients to reconfigure tools, alter policies, and bypass human-in-the-loop approval gates. The vulnerability has been addressed in development build 7.6.0.dev393 and subsequent releases by restricting access to root-mounted routes exclusively to the Supervisor Ingress IP.

Amit Schendel
Amit Schendel
2 views•8 min read
•about 1 hour ago•CVE-2026-50127
5.9

CVE-2026-50127: Server-Side Request Forgery Bypass via IPv6 Transition Prefixes in Weblate

A Server-Side Request Forgery (SSRF) vulnerability exists in Weblate's private address validator when the VCS_RESTRICT_PRIVATE setting is enabled. By exploiting IPv6 transition mechanisms, such as NAT64, 6to4, or IPv4-compatible configurations, an attacker can bypass private network boundaries and access internal services.

Alon Barad
Alon Barad
5 views•6 min read
•about 2 hours ago•GHSA-P2FR-6HMX-4528
6.4

GHSA-p2fr-6hmx-4528: Unbound Resource Indicators Allow Cross-Audience Access Token Escalation in @better-auth/oauth-provider

A security vulnerability in @better-auth/oauth-provider allows OAuth clients to obtain access tokens for unauthorized audiences due to unbound resource indicators. The implementation fails to bind the requested target resource to the initial authorization grant. Consequently, a client can request an access token targeting any resource server within the global allowlist, bypassing user consent boundaries.

Alon Barad
Alon Barad
4 views•6 min read
•about 2 hours ago•GHSA-86J7-9J95-VPQJ
8.8

GHSA-86J7-9J95-VPQJ: Stored Cross-Site Scripting in Better Auth Plugins via Malicious Redirect URIs

A stored cross-site scripting vulnerability exists in the oidc-provider and mcp plugins of Better Auth. Attackers can register malicious clients with javascript: redirect URIs, leading to origin takeover when users authorize the client.

Amit Schendel
Amit Schendel
6 views•5 min read
•about 3 hours ago•GHSA-9H47-PQCX-HJR4
9.8

GHSA-9H47-PQCX-HJR4: Insecure Cryptographic Defaults in Better Auth OIDC Provider

The Better Auth framework's OIDC provider implementation (oidcProvider) contained insecure cryptographic defaults before version 1.6.11. It advertised the insecure alg=none signing algorithm and accepted plain PKCE challenges by default, leaving downstream clients vulnerable to token signature bypasses and authorization code interception attacks.

Alon Barad
Alon Barad
5 views•6 min read
•about 4 hours ago•GHSA-2VG6-77G8-24MP
3.8

GHSA-2vg6-77g8-24mp: Insufficient Session Expiration via Incomplete Cleanup in Better Auth Ecosystem

A critical session persistence vulnerability exists within the Better Auth framework when configured to use external secondary storage (such as Redis or Cloudflare KV) with default database options. Due to four incomplete user-deletion code paths, active user sessions are not evicted from secondary storage caches during deletion events. As a result, deleted users retain full system access via their pre-existing session cookies until the Session Time-To-Live (TTL) expires.

Amit Schendel
Amit Schendel
5 views•5 min read