CVE-2026-48505
Deferred Deferred - Pending Action

Recovery Code Reuse in Filament Laravel MFA

Vulnerability report for CVE-2026-48505, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
filament filament From 4.0.0 (inc) to 4.11.5 (inc)
filament filament 5.6.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-841 The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Filament versions from 4.0.0 until 4.11.5 and 5.6.5, specifically in the handling of recovery codes for app-based multi-factor authentication (MFA). The flaw allows the same recovery code to be reused through concurrent submissions, which should normally be single-use. This issue only applies when recovery codes are enabled and does not affect email-based MFA.

If an attacker obtains both the user's password and their recovery codes, they can use each recovery code multiple times simultaneously, gaining multiple authenticated sessions per code instead of just one. This extends the attacker's window of access beyond what the single-use recovery code system is intended to provide.

The vulnerability was fixed in versions 4.11.5 and 5.6.5 of Filament.

Impact Analysis

If exploited, this vulnerability allows an attacker who has both the user's password and recovery codes to create multiple authenticated sessions simultaneously by reusing recovery codes. This means the attacker can maintain prolonged and expanded access to the user's account beyond what is normally possible with single-use recovery codes.

This extended access increases the risk of unauthorized actions, data exposure, or other malicious activities within the affected application or system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Filament to version 4.11.5 or 5.6.5 or later, where the issue with recovery code reuse has been fixed.

Additionally, ensure that recovery codes are used carefully and consider disabling recovery codes if not necessary, as the vulnerability only applies when recovery codes are enabled.

Compliance Impact

This vulnerability allows an attacker who has obtained both a user's password and recovery codes to reuse recovery codes multiple times concurrently, thereby extending unauthorized access beyond the intended single-use limit.

Such extended unauthorized access could potentially lead to increased risk of data breaches or unauthorized data access, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive data.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48505. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart