CVE-2026-2800

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly requires timely identification, reporting, and correction of flaws like CVE-2026-2800 through patching Firefox for Android to version 148 or later.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Provides vulnerability scanning to identify systems running vulnerable Firefox for Android versions affected by the WebAuthn spoofing flaw.

SI-5 Security Alerts, Advisories, and Directives partial match

detect

Ensures monitoring and dissemination of vendor security advisories such as Mozilla MFSA 2026-13 to prompt remediation of CVE-2026-2800.

Security SummaryAI

CVE-2026-2800 is a spoofing vulnerability in the WebAuthn component of Firefox for Android, as identified by CWE-290. The issue allows attackers to spoof authentication mechanisms within WebAuthn, a standard for secure web authentication using public key cryptography. This flaw affects Firefox for Android versions prior to 148 and was also addressed in Thunderbird 148, indicating potential shared component exposure. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables high-impact compromise, potentially allowing the attacker to spoof WebAuthn authentications, bypass security checks, and gain unauthorized access to protected resources or impersonate legitimate users in web applications relying on this API.

Mozilla's security advisories (MFSA 2026-13 and MFSA 2026-16) and the associated Bugzilla entry (1988145) confirm the fix in Firefox 148 and Thunderbird 148. Security practitioners should prioritize updating affected browsers to these versions or later to mitigate the risk, as no workarounds are detailed in the provided references.

Details

CWE(s): NVD-CWE-noinfo CWE-290

Affected Products

mozilla

firefox

≤ 148.0

mozilla

thunderbird

≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1606 Forge Web Credentials Credential Access

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.

attack.mitre.org →

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Vulnerability enables spoofing of WebAuthn public-key authentication, directly facilitating forgery of web credentials (T1606) to impersonate users and obtain unauthorized access via valid accounts (T1078).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1988145
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org