Description
WebAuthn AAGUID policy bypass via packed self-attestation. Similar to CVE-2025-12150. When direct attestation is requested but the authenticator sends self-attestation (no x5c), the AAGUID is unverified, allowing bypass of the acceptable AAGUID allowlist.
Additional notes
By default, for a simple implementation, attestation and AAGUIDs may not be considered necessary. It's considered a high level security setting that the company uses to enforce specific authenticators or because they don't trust in users.
Acknowledgement
We acknowledge Pelissier, Sylvain (SICPA) for reporting this issue to the Keycloak security team.
This issue was originally tracked in the private repository. Migrated by @ahus1.
Description
WebAuthn AAGUID policy bypass via packed self-attestation. Similar to CVE-2025-12150. When direct attestation is requested but the authenticator sends self-attestation (no x5c), the AAGUID is unverified, allowing bypass of the acceptable AAGUID allowlist.
Additional notes
By default, for a simple implementation, attestation and AAGUIDs may not be considered necessary. It's considered a high level security setting that the company uses to enforce specific authenticators or because they don't trust in users.
Acknowledgement
We acknowledge Pelissier, Sylvain (SICPA) for reporting this issue to the Keycloak security team.
This issue was originally tracked in the private repository. Migrated by @ahus1.