github.com/drakkan/sftpgo is vulnerable to authentication bypass attacks. The library authorizes recovery codes to be generated before enabling two-factor authentication which allows an attacker who knows the user’s password to potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time.