GHSA-j5rm-v3vh-vx94: eduMFA Passkeys: missing expiration flag may allow replay attacks and reuse of old challenges

May 18, 2026

In eduMFA < 2.9.1 userless Passkey/WebAuthn challenges might be replayed and do not expire

References

github.com/advisories/GHSA-j5rm-v3vh-vx94
github.com/eduMFA/eduMFA/security/advisories/GHSA-j5rm-v3vh-vx94

Code Behaviors & Features

Detect and mitigate GHSA-j5rm-v3vh-vx94 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →