CVE-2026-32133

UNKNOWN 0.0

2FAuth has Blind SSRF in image parameter allows internal network access and more

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The image parameter in OTP URL is not properly validated for internal / private IP addresses before making HTTP requests. While the previous fix added response validation to ensure only valid images are stored but HTTP request is still made to arbitrary URLs before this validation occurs. This vulnerability is fixed in 6.1.0.

CWE	CWE-918
Vendor	bubka
Product	2fauth
Published	Mar 11, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for bubka 2fauth

Be the first to know when new unknown vulnerabilities affecting bubka 2fauth are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Bubka / 2FAuth

< 6.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Bubka/2FAuth/security/advisories/GHSA-8qp3-x2mp-j6f8