CVE-2025-26788

Published Feb 14, 2025

Last updated 6 months ago

CVSS high 8.4
StrongKey FIDO Server

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-26788 is a vulnerability affecting StrongKey FIDO Servers prior to version 4.15.1. The vulnerability lies in the server's handling of non-discoverable transactions. Specifically, when configured for non-discoverable transactions in the namedcredential flow, the server incorrectly processes these flows as discoverable transactions. This misconfiguration could allow an attacker to potentially obtain sensitive information, thereby compromising the security of the authentication process. To mitigate this vulnerability, users are advised to upgrade to version 4.15.1 or later.

Description
StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction.
Source
cve@mitre.org
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.4
Impact score
6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Severity
HIGH

Weaknesses

cve@mitre.org
CWE-639

Social media

Hype score
Not currently trending

  1. Passkey認証におけるアカウント乗っ取り - Non Discoverable Credentialフローとの混在に起因する脆弱性(CVE-2025-26788)解説(2025-08-05) #パスキー https://t.co/2tZjWIP4ni

    @_nat

    11 Aug 2025

    353 Impressions

    0 Retweets

    3 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  2. Passkey認証におけるアカウント乗っ取り - Non Discoverable Credentialフローとの混在に起因する脆弱性(CVE-2025-26788)解説 https://t.co/0lRDbTfVLN 「攻撃者が用意した認証器で生成されたアサーションを使用し、被害者のアカ

    @akibablog

    5 Aug 2025

    3485 Impressions

    2 Retweets

    1 Like

    3 Bookmarks

    0 Replies

    0 Quotes

  3. Passkey認証におけるアカウント乗っ取り - Non Discoverable Credentialフローとの混在に起因する脆弱性(CVE-2025-26788)解説 - GMO Flatt Security Blog https://t.co/6SAHzyqvmn

    @yousukezan

    5 Aug 2025

    5601 Impressions

    18 Retweets

    60 Likes

    43 Bookmarks

    0 Replies

    0 Quotes

  4. セキュリティエンジニア小武のブログを公開しました! Passkey(Discoverable Credential)と、Non Discoverable Credentialsの認証フローが混在していたことが原因でアカウントの乗っ取りが可能だった脆弱性 CVE-2025-26788 を詳

    @flatt_security

    5 Aug 2025

    4162 Impressions

    14 Retweets

    37 Likes

    16 Bookmarks

    1 Reply

    0 Quotes

  5. 🚨 CVE-2025-26788 🔴 HIGH (8.4) 🏢 StrongKey - FIDO Server 🏗️ 0 🔗 https://t.co/hyEBe9LY5x #CyberCron #VulnAlert https://t.co/jwzYzHByBT

    @cybercronai

    16 Feb 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. [CVE-2025-26788: HIGH] StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction.#cybersecurity,#vulnerability https://t.co/GPuMGnP1Zs https://t.co/EIkhY6T8Jb

    @CveFindCom

    14 Feb 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.