FKIE_CVE-2026-32729

Vulnerability from fkie_nvd - Published: 2026-03-16 14:19 - Updated: 2026-03-17 19:01
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1.
References
security-advisories@github.comhttps://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567wExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
runtipi runtipi *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BA07C84-FDE1-4049-A576-D259B0888E84",
              "versionEndExcluding": "4.8.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user\u0027s valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000\u2013999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1."
    },
    {
      "lang": "es",
      "value": "Runtipi es un orquestador de homeserver personal. Antes de 4.8.1, el endpoint /api/auth/verify-totp de Runtipi no aplica ning\u00fan mecanismo de limitaci\u00f3n de velocidad, conteo de intentos o bloqueo de cuenta. Un atacante que ha obtenido credenciales v\u00e1lidas de un usuario (mediante phishing, relleno de credenciales o violaci\u00f3n de datos) puede forzar por fuerza bruta el c\u00f3digo TOTP de 6 d\u00edgitos para eludir completamente la autenticaci\u00f3n de dos factores. La sesi\u00f3n de verificaci\u00f3n TOTP persiste durante 24 horas (TTL de cach\u00e9 predeterminado), proporcionando una ventana excesiva durante la cual el espacio de claves completo de 1.000.000 c\u00f3digos (000000\u2013999999) puede ser agotado. A tasas de solicitud pr\u00e1cticas (~500 solicitudes/s), el ataque se completa en aproximadamente 33 minutos en el peor de los casos. Esta vulnerabilidad est\u00e1 corregida en 4.8.1."
    }
  ],
  "id": "CVE-2026-32729",
  "lastModified": "2026-03-17T19:01:54.250",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-16T14:19:43.400",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-307"
        },
        {
          "lang": "en",
          "value": "CWE-799"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.