CVE-2026-32729 Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

CVE-2026-32729 Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

CVE-2026-32729

Runtipi CVE-2026-32729: The /api/auth/verify-totp endpoint lacks rate limiting, attempt counting, and account lockout prior to version 4.8.1, allowing brute-forcing of a 6-digit TOTP if valid credentials are known. The TOTP verification session lasts ~24 hours (default cache TTL), enabling a larg...

CVE-2026-31798

CVE-2026-31798 affects JumpServer’s Custom SMS API Client. The root cause is improper certificate validation, enabling an attacker to intercept MFA/OTP verification codes before delivery to the user’s phone. Impact is limited to credentials/OTP confidentiality with network exposure, as per the pr...

EUVD-2026-12081

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and...

CVE-2026-31798 JumpServer Improper Certificate Validation in Custom SMS API Client

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and...

BIT-PARSE-2026-31875 Parse Server MFA recovery codes not consumed after use

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.33, when multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a...

GO-2026-4688 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint in github.com/steveiliop56/tinyauth

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint in github.com/steveiliop56/tinyauth. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

CVE-2026-32246

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

CVE-2026-32246

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

CVE-2026-32246

CVE-2026-32246 (Tinyauth) : Tinyauth authentication/authorization server before version 5.0.3 allows an attacker who knows a user’s password but not the TOTP secret to obtain an authorization code and valid OIDC tokens by abusing the OIDC authorization endpoint during a TOTP-pending session. This...

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Summary The OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. Details...

Missing Critical Step in Authentication

Overview Affected versions of this package are vulnerable to Missing Critical Step in Authentication via the OIDC authorize process. An attacker can gain unauthorized access to valid OIDC tokens by leveraging a session where only the password has been verified but the second authentication factor...

Missing Critical Step in Authentication

Overview Affected versions of this package are vulnerable to Missing Critical Step in Authentication via the OIDC authorize process. An attacker can gain unauthorized access to valid OIDC tokens by leveraging a session where only the password has been verified but the second authentication factor...

Missing Critical Step in Authentication

Overview Affected versions of this package are vulnerable to Missing Critical Step in Authentication via the OIDC authorize process. An attacker can gain unauthorized access to valid OIDC tokens by leveraging a session where only the password has been verified but the second authentication factor...

GHSA-3Q28-QJRV-QR39 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Summary The OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. Details...

EUVD-2026-11681

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint...