CVE-2026-48505
Received Received - Intake
Recovery Code Reuse in Filament Laravel MFA

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-48505
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
filament filament From 4.0.0 (inc) to 4.11.5 (inc)
filament filament 5.6.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-841 The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Filament versions from 4.0.0 until 4.11.5 and 5.6.5, specifically in the handling of recovery codes for app-based multi-factor authentication (MFA). The flaw allows the same recovery code to be reused through concurrent submissions, which should normally be single-use. This issue only applies when recovery codes are enabled and does not affect email-based MFA.

If an attacker obtains both the user's password and their recovery codes, they can use each recovery code multiple times simultaneously, gaining multiple authenticated sessions per code instead of just one. This extends the attacker's window of access beyond what the single-use recovery code system is intended to provide.

The vulnerability was fixed in versions 4.11.5 and 5.6.5 of Filament.

Impact Analysis

If exploited, this vulnerability allows an attacker who has both the user's password and recovery codes to create multiple authenticated sessions simultaneously by reusing recovery codes. This means the attacker can maintain prolonged and expanded access to the user's account beyond what is normally possible with single-use recovery codes.

This extended access increases the risk of unauthorized actions, data exposure, or other malicious activities within the affected application or system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Filament to version 4.11.5 or 5.6.5 or later, where the issue with recovery code reuse has been fixed.

Additionally, ensure that recovery codes are used carefully and consider disabling recovery codes if not necessary, as the vulnerability only applies when recovery codes are enabled.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48505. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart