{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32729", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.626Z", "datePublished": "2026-03-13T21:41:11.699Z", "dateUpdated": "2026-03-16T20:22:43.613Z"}, "containers": {"cna": {"title": "Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-799", "lang": "en", "description": "CWE-799: Improper Control of Interaction Frequency", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w"}], "affected": [{"vendor": "runtipi", "product": "runtipi", "versions": [{"version": "< 4.8.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T21:41:11.699Z"}, "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000\u2013999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1."}], "source": {"advisory": "GHSA-v6gf-frxm-567w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32729", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T20:08:49.065023Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:22:43.613Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32729", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T20:08:49.065023Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:20:39.824Z"}}], "cna": {"title": "Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`", "source": {"advisory": "GHSA-v6gf-frxm-567w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "runtipi", "product": "runtipi", "versions": [{"status": "affected", "version": "< 4.8.1"}]}], "references": [{"url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w", "name": "https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000\u2013999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-799", "description": "CWE-799: Improper Control of Interaction Frequency"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T21:41:11.699Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32729", "state": "PUBLISHED", "dateUpdated": "2026-03-16T20:22:43.613Z", "dateReserved": "2026-03-13T15:02:00.626Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T21:41:11.699Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BA07C84-FDE1-4049-A576-D259B0888E84", "versionEndExcluding": "4.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000\u2013999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1."}], "id": "CVE-2026-32729", "lastModified": "2026-03-17T19:01:54.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-16T14:19:43.400", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-799"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.8.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "runtipi", "source": "cna", "vendor": "runtipi"}, "product": "runtipi", "vendor": "runtipi"}], "analysis": {"en": {"generated_at": "2026-03-17T21:06:16.954834+00:00", "value": {"mitigation_remediation": ["Apply the latest Runtipi release (4.8.1 or newer) to eliminate the TOTP brute\u2011force vulnerability.", "Ensure all deployed instances are updated promptly to the patched version.", "If immediate patching is delayed, implement network\u2011level controls to restrict access to the `/api/auth/verify-totp` endpoint or disable external access to that endpoint."], "summary": {"action": "Patch", "impact": "BypassTwoFactorAuthentication"}, "threat_synthesis": {"affected_systems": "All Runtipi releases prior to version 4.8.1 are affected. The affected product is runtipi:runtipi. Any deployment using a version older than 4.8.1 with the `/api/auth/verify-totp` endpoint accessible is vulnerable.", "description_and_impact": "The vulnerability in Runtipi allows attackers to bypass the two\u2011factor authentication mechanism by brute\u2011forcing the 6\u2011digit TOTP code through the `/api/auth/verify-totp` endpoint. Because no rate limiting, attempt counting, or account lockout is enforced, an attacker who already possesses a valid username and password can try every possible code. The verification session persists for 24 hours, giving the attacker a full 1,000,000\u2011code keyspace. At a practical request rate of about 500 requests per second, an exhaustive attack would complete in roughly 33 minutes in the worst case, granting the attacker full access to the user\u2019s account and any privileges it holds.", "risk_and_exploitability": "The CVSS base score of 8.1 (High) reflects the severity of the bypass. EPSS is under 1% and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating limited current exploitation activity. Attackers must first obtain valid credentials through phishing, credential stuffing, or a data breach, and then remotely hit the authenticated endpoint. Once credentials are known, the lack of rate limiting makes the attack highly feasible and the risk of compromise substantial."}}}}, "created": "2026-03-16T09:22:29.061718+00:00", "updated": "2026-03-23T13:39:11.732223+00:00", "vendors": ["runtipi", "runtipi$PRODUCT$runtipi"]}