Cyber Resilience

CVE-2026-46419

High

Published: 14 May 2026

Published
14 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-46419 is a high-severity Incorrect Check of Function Return Value (CWE-253) vulnerability in Yubico (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Incorrect return value check in WebAuthn 2FA flow enables authentication bypass leading to account impersonation (T1078); server-side library flaw exploitable on public apps (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35091Shared CWE-253
CVE-2026-0648Shared CWE-253

Affected Assets

Yubico
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References