CVE-2024-24769
Received Received - Intake
MFA Token Reset Email Flooding in vantage6

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender. Note resetting the MFA token requires a correct password, so the potential impact for this is very low. Version 5.0.0 fixes the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2024-24769
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vantage6 vantage6 to 5.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in vantage6, an open-source infrastructure for privacy preserving analysis. Before version 5.0.0, users could reset their MFA (Multi-Factor Authentication) token via API routes that send them an email. However, there was no limit on the number of emails that could be sent, allowing attackers to flood a user's mailbox with many emails.

Although resetting the MFA token requires the correct password, the unlimited email sending could overwhelm the user's mailbox and negatively affect the SMTP server, potentially causing it to be flagged as a spam sender.

This issue was fixed in version 5.0.0 of vantage6.

Impact Analysis

The primary impact of this vulnerability is that an attacker could flood a user's mailbox with a large number of MFA reset emails, which could overwhelm the mailbox and disrupt normal email usage.

Additionally, the SMTP server used to send these emails could be adversely affected and might be seen as a spam sender, potentially impacting email deliverability for legitimate messages.

However, since resetting the MFA token requires the correct password, the overall potential impact of this vulnerability is considered very low.

Mitigation Strategies

The vulnerability is fixed in vantage6 version 5.0.0. Upgrading to this version or later is the recommended mitigation step.

No known workarounds are available.

Compliance Impact

The vulnerability allows an attacker to flood a user's mailbox with multiple MFA reset emails, potentially causing spam issues and adverse effects on the SMTP server. However, since resetting the MFA token requires the correct password, the potential impact is very low.

There is no direct information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-24769. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart