Cyber Resilience

CVE-2025-26788

High

Published: 14 February 2025

Published
14 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0003 8.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26788 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Strongkey (inferred from references). Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26788 is a vulnerability in StrongKey FIDO Server versions before 4.15.1, where the server incorrectly treats a non-discoverable (namedcredential) flow as a discoverable transaction. This issue, linked to CWE-639 (Authorization Bypass Through User-Controlled Key), carries a CVSS v3.1 base score of 8.4 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L), indicating high severity due to its potential for significant confidentiality and integrity impacts.

The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Exploitation changes scope to the server (S:C), allowing high impacts on confidentiality and integrity (C:H/I:H) alongside low availability impact (A:L). This enables authentication bypass scenarios, such as passkey authentication evasion, potentially compromising user sessions or credentials.

Advisories recommend upgrading to StrongKey FIDO Server version 4.15.1 or later to mitigate the issue, as outlined in the official release notes at https://docs.strongkey.com/index.php/skfs-v3/skfs-release-notes. Further technical details on the passkey authentication bypass are provided in the analysis at https://www.securing.pl/en/cve-2025-26788-passkey-authentication-bypass-in-strongkey-fido-server/.

EU & UK References

Vulnerability details

StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

Vulnerability in public-facing FIDO auth server enables network exploitation for auth bypass (T1190) leading to credential/session compromise (T1212).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-50693Shared CWE-639
CVE-2025-69394Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2025-58402Shared CWE-639
CVE-2025-68051Shared CWE-639
CVE-2026-4503Shared CWE-639
CVE-2026-43890Shared CWE-639
CVE-2026-25563Shared CWE-639
CVE-2024-8261Shared CWE-639
CVE-2026-3321Shared CWE-639

Affected Assets

Strongkey
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and correction of the flaw in StrongKey FIDO Server through vendor-recommended upgrades to version 4.15.1 or later.

prevent

Enforces approved authorizations to prevent the server from incorrectly processing non-discoverable credential flows as discoverable, blocking authorization bypass.

prevent

Implements and manages identification and authentication mechanisms that properly distinguish and validate credential types to avoid passkey authentication evasion.

References