GHSA-f66q-9rf6-8795: WebAuthn Re-authentication Freshness Bypass in Flask-Security-Too
Vulnerability ID: GHSA-F66Q-9RF6-8795
CVSS Score: 5.3
Published: 2026-07-07
An authentication freshness bypass vulnerability exists in the WebAuthn re-authentication path of Flask-Security-Too versions 5.8.0 and 5.8.1. The flaw allows an authenticated attacker to elevate the freshness status of a victim session using their own WebAuthn credential, bypassing re-authentication constraints.
TL;DR
An authenticated attacker can bypass session freshness gates by submitting their own WebAuthn cryptographic signature inside a victim's stale session, gaining unauthorized access to administrative or sensitive functions.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-305
- Attack Vector: Network
- CVSS Score: 5.3 (Medium)
- Exploit Status: Proof-of-Concept Available
- Impact: Re-authentication Freshness Bypass
- KEV Status: Not Listed
Affected Systems
- Flask-Security-Too
-
flask-security-too: >= 5.8.0, <= 5.8.1 (Fixed in:
5.8.2)
Code Analysis
Commit: 5c44c76
Vulnerable commit exposing the WebAuthn re-authentication path to cross-user credential validation
Mitigation Strategies
- Upgrade to flask-security-too 5.8.2 or later
- Disable WebAuthn as a verification factor if patching is delayed
- Monitor the authentication logs for mismatched credential owners
Remediation Steps:
- Locate your Python dependency definitions (e.g., requirements.txt, Pipfile, poetry.lock)
- Update the flask-security-too dependency requirement to at least 5.8.2
- Run the package installer to apply the updated library version in the deployment environments
- Verify that the configuration variable SECURITY_WAN_ALLOW_AS_VERIFY is properly defined if custom re-authentication controls are required
References
Read the full report for GHSA-F66Q-9RF6-8795 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)