CVE-2026-32729
Awaiting Analysis Awaiting Analysis - Queue
TOTP Brute-Force in Runtipi Allows 2FA Bypass

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32729
EUVD
EUVD-2026-12180
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
runtipi runtipi to 4.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
CWE-799 The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Runtipi versions prior to 4.8.1 in the /api/auth/verify-totp endpoint. The endpoint does not enforce rate limiting, attempt counting, or account lockout mechanisms for verifying the 6-digit Time-based One-Time Password (TOTP) codes.

An attacker who has obtained a user's valid credentials (for example, through phishing, credential stuffing, or data breaches) can brute-force the 6-digit TOTP code to bypass two-factor authentication completely.

Because the TOTP verification session persists for 24 hours by default, the attacker has an excessive window to try all possible 1,000,000 codes (from 000000 to 999999). At practical request rates of about 500 requests per second, the attacker can exhaust the entire code space in approximately 33 minutes in the worst case.

This vulnerability was fixed in Runtipi version 4.8.1.

Impact Analysis

This vulnerability allows an attacker who already has valid user credentials to bypass two-factor authentication by brute-forcing the TOTP code.

As a result, the attacker can gain unauthorized access to the affected user's account, potentially compromising sensitive personal or system data managed by the Runtipi homeserver.

Because the attack can be completed in a relatively short time (around 33 minutes), it significantly reduces the security benefits of two-factor authentication.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in Runtipi version 4.8.1. The immediate step to mitigate this vulnerability is to upgrade Runtipi to version 4.8.1 or later.

This update enforces rate limiting, attempt counting, and account lockout mechanisms on the /api/auth/verify-totp endpoint, preventing brute-force attacks on the 6-digit TOTP code.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32729. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart