CVE-2025-26788

CVE-2025-26788 is a vulnerability in StrongKey FIDO Server versions before 4.15.1, where the server incorrectly treats a non-discoverable (namedcredential) flow as a discoverable transaction. This issue, linked to CWE-639 (Authorization Bypass Through User-Controlled Key), carries a CVSS v3.1 base score of 8.4 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L), indicating high severity due to its potential for significant confidentiality and integrity impacts.

The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Exploitation changes scope to the server (S:C), allowing high impacts on confidentiality and integrity (C:H/I:H) alongside low availability impact (A:L). This enables authentication bypass scenarios, such as passkey authentication evasion, potentially compromising user sessions or credentials.

Advisories recommend upgrading to StrongKey FIDO Server version 4.15.1 or later to mitigate the issue, as outlined in the official release notes at https://docs.strongkey.com/index.php/skfs-v3/skfs-release-notes. Further technical details on the passkey authentication bypass are provided in the analysis at https://www.securing.pl/en/cve-2025-26788-passkey-authentication-bypass-in-strongkey-fido-server/.