GHSA-h4fw-6r7f-w494: Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy

May 7, 2026

In version 5.3.0 of the Symfony bundle, Webauthn\Bundle\Policy\ClientOverridePolicy defaulted to allowing all client overrides, including userVerification. A client could send {"userVerification": "discouraged"} in the assertion or attestation options request to override a server-configured userVerification: required, causing the emitted WebAuthn options to instruct the authenticator to skip user verification. The CheckUserVerification ceremony step then read the same downgraded options and skipped its check.

References

github.com/advisories/GHSA-h4fw-6r7f-w494
github.com/web-auth/webauthn-framework
github.com/web-auth/webauthn-framework/security/advisories/GHSA-h4fw-6r7f-w494

Code Behaviors & Features

Detect and mitigate GHSA-h4fw-6r7f-w494 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →