CVE-2024-27928
Received Received - Intake
Two-Factor Authentication Bypass in vantage6

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2024-27928
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vantage6 vantage6 to 5.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-308 The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in vantage6 prior to version 5.0.0 allows an attacker who has hacked into a vantage6 user's email account to bypass two-factor authentication (2FA). Specifically, the attacker can reset the password via email and then reset the 2FA token also via email, effectively reducing the security from 2FA to just single-factor authentication (email access).

However, since most email providers require 2FA to access email accounts, this vulnerability is less likely to be exploited in practice. The issue was fixed in version 5.0.0 of vantage6.

Impact Analysis

If an attacker gains access to your vantage6 user's email account, they can bypass the two-factor authentication protection on your vantage6 account by resetting both your password and 2FA token via email. This reduces your account security to just email access, potentially allowing unauthorized access to your vantage6 account.

However, because most email providers enforce 2FA for email access, the likelihood of this attack succeeding is lower.

Mitigation Strategies

The vulnerability is fixed in vantage6 version 5.0.0. Immediate mitigation involves upgrading vantage6 to version 5.0.0 or later.

No known workarounds are available.

Additionally, since the vulnerability requires an attacker to have access to a vantage6 user's email account, ensuring strong email account security, such as enabling 2FA on email accounts, is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-27928. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart