{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-32729","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-13T15:02:00.626Z","datePublished":"2026-03-13T21:41:11.699Z","dateUpdated":"2026-03-16T20:22:43.613Z"},"containers":{"cna":{"title":"Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`","problemTypes":[{"descriptions":[{"cweId":"CWE-307","lang":"en","description":"CWE-307: Improper Restriction of Excessive Authentication Attempts","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-799","lang":"en","description":"CWE-799: Improper Control of Interaction Frequency","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w","tags":["x_refsource_CONFIRM"],"url":"https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w"}],"affected":[{"vendor":"runtipi","product":"runtipi","versions":[{"version":"< 4.8.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-03-13T21:41:11.699Z"},"descriptions":[{"lang":"en","value":"Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1."}],"source":{"advisory":"GHSA-v6gf-frxm-567w","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2026-32729","role":"CISA Coordinator","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2026-03-16T20:08:49.065023Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-16T20:22:43.613Z"}}]}}