CVE-2026-32729
Awaiting Analysis Awaiting Analysis - Queue

TOTP Brute-Force in Runtipi Allows 2FA Bypass

Vulnerability report for CVE-2026-32729, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-07-06
AI Q&A
2026-03-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
runtipi runtipi to 4.8.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-799 The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Runtipi versions prior to 4.8.1 in the /api/auth/verify-totp endpoint. The endpoint does not enforce rate limiting, attempt counting, or account lockout mechanisms for verifying the 6-digit Time-based One-Time Password (TOTP) codes.

An attacker who has obtained a user's valid credentials (for example, through phishing, credential stuffing, or data breaches) can brute-force the 6-digit TOTP code to bypass two-factor authentication completely.

Because the TOTP verification session persists for 24 hours by default, the attacker has an excessive window to try all possible 1,000,000 codes (from 000000 to 999999). At practical request rates of about 500 requests per second, the attacker can exhaust the entire code space in approximately 33 minutes in the worst case.

This vulnerability was fixed in Runtipi version 4.8.1.

Impact Analysis

This vulnerability allows an attacker who already has valid user credentials to bypass two-factor authentication by brute-forcing the TOTP code.

As a result, the attacker can gain unauthorized access to the affected user's account, potentially compromising sensitive personal or system data managed by the Runtipi homeserver.

Because the attack can be completed in a relatively short time (around 33 minutes), it significantly reduces the security benefits of two-factor authentication.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in Runtipi version 4.8.1. The immediate step to mitigate this vulnerability is to upgrade Runtipi to version 4.8.1 or later.

This update enforces rate limiting, attempt counting, and account lockout mechanisms on the /api/auth/verify-totp endpoint, preventing brute-force attacks on the 6-digit TOTP code.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32729. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart