CVE-2026-32729

HIGH 8.1

Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1.

CWE	CWE-307 CWE-799
Vendor	runtipi
Product	runtipi
Published	Mar 13, 2026
Last Updated	Mar 16, 2026

Stay Ahead of the Next One

Get instant alerts for runtipi runtipi

Be the first to know when new high vulnerabilities affecting runtipi runtipi are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

runtipi / runtipi

< 4.8.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w