CVE-2026-32133

2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The image parameter in OTP URL is not properly validated for internal / private IP addresses before making HTTP requests. While the previous fix added response validation to ensure only valid images are stored but HTTP request is still made to arbitrary URLs before this validation occurs. This vulnerability is fixed in 6.1.0.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Bubka/2FAuth/security/advisories/GHSA-8qp3-x2mp-j6f8	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:2fauth:2fauth:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 22:16

Updated : 2026-03-13 20:20

NVD link : CVE-2026-32133

Mitre link : CVE-2026-32133

CVE.ORG link : CVE-2026-32133

JSON object : View

Products Affected

2fauth

2fauth

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-32133", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-11T22:16:33.273", "references": [{"url": "https://github.com/Bubka/2FAuth/security/advisories/GHSA-8qp3-x2mp-j6f8", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The image parameter in OTP URL is not properly validated for internal / private IP addresses before making HTTP requests. While the previous fix added response validation to ensure only valid images are stored but HTTP request is still made to arbitrary URLs before this validation occurs. This vulnerability is fixed in 6.1.0."}, {"lang": "es", "value": "2FAuth es una aplicaci\u00f3n web para gestionar cuentas de Autenticaci\u00f3n de Dos Factores (2FA) y generar sus c\u00f3digos de seguridad. Antes de la versi\u00f3n 6.1.0, existe una vulnerabilidad SSRF ciega en 2FAuth que permite a los usuarios autenticados realizar solicitudes HTTP arbitrarias desde el servidor a redes internas y puntos finales de metadatos en la nube. El par\u00e1metro 'image' en la URL de OTP no se valida correctamente para direcciones IP internas / privadas antes de realizar solicitudes HTTP. Aunque la correcci\u00f3n anterior a\u00f1adi\u00f3 validaci\u00f3n de respuesta para asegurar que solo se almacenaran im\u00e1genes v\u00e1lidas, la solicitud HTTP a\u00fan se realiza a URLs arbitrarias antes de que ocurra esta validaci\u00f3n. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 6.1.0."}], "lastModified": "2026-03-13T20:20:31.943", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:2fauth:2fauth:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEBD8E7A-4FB9-4BF4-829E-BBEEAEFE427A", "versionEndExcluding": "6.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}