+ "details": "## Summary\n\nA logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion.\n\n## Affected versions\n\n>= v0.10.0\n\n## Description\n\nThe `POST /api/verify` endpoint supports multiple secure verification methods, including passkeys. When the request body contains `{\"method\":\"passkey\"}`, the server only checks whether the authenticated account has a passkey record on file and then marks the secure verification session as complete. It does not verify that the requester successfully completed a WebAuthn assertion.\n\nAs a result, an authenticated user who already has a valid session and a registered passkey can satisfy the secure verification requirement without performing the intended passkey challenge/response flow.\n\n## Impact\n\nIn the upstream project, this issue affects actions protected by `SecureVerificationRequired()`. At the time of publication, the confirmed upstream impact is the root-only `POST /api/channel/:id/key` endpoint, which returns stored channel secrets.\n\nSuccessful exploitation requires:\n- an already authenticated session for the target account, and\n- a registered passkey on that account.\n\nNo full login bypass or cross-account privilege escalation has been confirmed in the upstream codebase. However, the issue defeats the intended step-up verification control for affected privileged actions.\n\n## Workarounds\n\nUntil a patched release is applied:\n- do not rely on passkey as the step-up method for privileged secure-verification actions;\n- require TOTP/2FA for those actions where operationally possible; or\n- temporarily restrict access to affected secure-verification-protected endpoints.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments