CVE-2024-27928
Deferred Deferred - Pending Action

Two-Factor Authentication Bypass in vantage6

Vulnerability report for CVE-2024-27928, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-23
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vantage6 vantage6 to 5.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-308 The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in vantage6 prior to version 5.0.0 allows an attacker who has hacked into a vantage6 user's email account to bypass two-factor authentication (2FA). Specifically, the attacker can reset the password via email and then reset the 2FA token also via email, effectively reducing the security from 2FA to just single-factor authentication (email access).

However, since most email providers require 2FA to access email accounts, this vulnerability is less likely to be exploited in practice. The issue was fixed in version 5.0.0 of vantage6.

Impact Analysis

If an attacker gains access to your vantage6 user's email account, they can bypass the two-factor authentication protection on your vantage6 account by resetting both your password and 2FA token via email. This reduces your account security to just email access, potentially allowing unauthorized access to your vantage6 account.

However, because most email providers enforce 2FA for email access, the likelihood of this attack succeeding is lower.

Mitigation Strategies

The vulnerability is fixed in vantage6 version 5.0.0. Immediate mitigation involves upgrading vantage6 to version 5.0.0 or later.

No known workarounds are available.

Additionally, since the vulnerability requires an attacker to have access to a vantage6 user's email account, ensuring strong email account security, such as enabling 2FA on email accounts, is recommended.

Compliance Impact

The vulnerability allows an attacker who has compromised a vantage6 user's email account to bypass two-factor authentication (2FA) by resetting the password and 2FA token via email, effectively reducing security to single-factor authentication (1FA).

This reduction in authentication strength could potentially increase the risk of unauthorized access to sensitive data, which may impact compliance with data protection standards and regulations such as GDPR and HIPAA that require strong access controls and protection of personal or health information.

However, the description notes that most email providers require 2FA to access email accounts, making exploitation less likely.

Version 5.0.0 of vantage6 fixes this issue, and no known workarounds are available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-27928. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart