Intel

AIKIDO-2026-763881

webauthn is vulnerable to Improper Input Validation

Improper Input Validation Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

43

Medium Risk

This Affects:

PYTHONwebauthn
1.0.0 - 2.8.0
Fixed in 3.0.0
Are you affected? Scan for Free

TL;DR

The parse_cbor helper decodes CBOR from WebAuthn attestation and authenticator responses without rejecting duplicate map keys. Because Python treats True and integer 1 as the same dictionary key, a crafted response can silently overwrite COSE key parameters such as kty, causing an EC2 key structure to be interpreted as an RSA key. The same duplicate-key collision can downgrade the attestation format (for example packed to none) or swap the declared curve, undermining verification of the response. The fix decodes CBOR with allow_duplicate_keys=False so responses containing duplicate map keys are rejected as invalid.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

webauthn is vulnerable to Improper Input Validation in versions 1.0.0 - 2.8.0.

How to fix this

Upgrade the webauthn library to the patch version.