CVE-2026-32133
Received Received - Intake

Blind SSRF in 2FAuth Allows Internal Network Requests

Vulnerability report for CVE-2026-32133, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description

2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The image parameter in OTP URL is not properly validated for internal / private IP addresses before making HTTP requests. While the previous fix added response validation to ensure only valid images are stored but HTTP request is still made to arbitrary URLs before this validation occurs. This vulnerability is fixed in 6.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-07-06
AI Q&A
2026-03-12
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
2fauth 2fauth to 6.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a blind Server-Side Request Forgery (SSRF) issue in the 2FAuth web application, which manages Two-Factor Authentication accounts and generates security codes. Before version 6.1.0, authenticated users could exploit this flaw to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The problem arises because the 'image' parameter in the OTP URL is not properly validated to block requests to internal or private IP addresses before the HTTP request is made. Although a previous fix ensured only valid images are stored by validating responses, the HTTP request itself still occurs before this validation, allowing the SSRF attack.

Impact Analysis

This vulnerability can allow an attacker with authenticated access to the 2FAuth application to make unauthorized HTTP requests from the server to internal network resources or cloud metadata services. This could lead to unauthorized access to sensitive internal systems, exposure of confidential information, or manipulation of internal services that are not normally accessible externally.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in version 6.1.0 of 2FAuth. Immediate mitigation involves upgrading the 2FAuth application to version 6.1.0 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart