CVE-2026-32729

{"id": "CVE-2026-32729", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-16T14:19:43.400", "references": [{"url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-799"}]}], "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000\u2013999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1."}, {"lang": "es", "value": "Runtipi es un orquestador de homeserver personal. Antes de 4.8.1, el endpoint /api/auth/verify-totp de Runtipi no aplica ning\u00fan mecanismo de limitaci\u00f3n de velocidad, conteo de intentos o bloqueo de cuenta. Un atacante que ha obtenido credenciales v\u00e1lidas de un usuario (mediante phishing, relleno de credenciales o violaci\u00f3n de datos) puede forzar por fuerza bruta el c\u00f3digo TOTP de 6 d\u00edgitos para eludir completamente la autenticaci\u00f3n de dos factores. La sesi\u00f3n de verificaci\u00f3n TOTP persiste durante 24 horas (TTL de cach\u00e9 predeterminado), proporcionando una ventana excesiva durante la cual el espacio de claves completo de 1.000.000 c\u00f3digos (000000\u2013999999) puede ser agotado. A tasas de solicitud pr\u00e1cticas (~500 solicitudes/s), el ataque se completa en aproximadamente 33 minutos en el peor de los casos. Esta vulnerabilidad est\u00e1 corregida en 4.8.1."}], "lastModified": "2026-03-17T19:01:54.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9BA07C84-FDE1-4049-A576-D259B0888E84", "versionEndExcluding": "4.8.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}