CVE-2026-32729
TOTP Brute-Force in Runtipi Allows 2FA Bypass
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| runtipi | runtipi | to 4.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
| CWE-799 | The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Runtipi versions prior to 4.8.1 in the /api/auth/verify-totp endpoint. The endpoint does not enforce rate limiting, attempt counting, or account lockout mechanisms for verifying the 6-digit Time-based One-Time Password (TOTP) codes.
An attacker who has obtained a user's valid credentials (for example, through phishing, credential stuffing, or data breaches) can brute-force the 6-digit TOTP code to bypass two-factor authentication completely.
Because the TOTP verification session persists for 24 hours by default, the attacker has an excessive window to try all possible 1,000,000 codes (from 000000 to 999999). At practical request rates of about 500 requests per second, the attacker can exhaust the entire code space in approximately 33 minutes in the worst case.
This vulnerability was fixed in Runtipi version 4.8.1.
How can this vulnerability impact me? :
This vulnerability allows an attacker who already has valid user credentials to bypass two-factor authentication by brute-forcing the TOTP code.
As a result, the attacker can gain unauthorized access to the affected user's account, potentially compromising sensitive personal or system data managed by the Runtipi homeserver.
Because the attack can be completed in a relatively short time (around 33 minutes), it significantly reduces the security benefits of two-factor authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Runtipi version 4.8.1. The immediate step to mitigate this vulnerability is to upgrade Runtipi to version 4.8.1 or later.
This update enforces rate limiting, attempt counting, and account lockout mechanisms on the /api/auth/verify-totp endpoint, preventing brute-force attacks on the 6-digit TOTP code.