{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-01T03:52:03.256","vulnerabilities":[{"cve":{"id":"CVE-2026-32729","sourceIdentifier":"security-advisories@github.com","published":"2026-03-16T14:19:43.400","lastModified":"2026-03-17T19:01:54.250","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1."},{"lang":"es","value":"Runtipi es un orquestador de homeserver personal. Antes de 4.8.1, el endpoint /api/auth/verify-totp de Runtipi no aplica ningún mecanismo de limitación de velocidad, conteo de intentos o bloqueo de cuenta. Un atacante que ha obtenido credenciales válidas de un usuario (mediante phishing, relleno de credenciales o violación de datos) puede forzar por fuerza bruta el código TOTP de 6 dígitos para eludir completamente la autenticación de dos factores. La sesión de verificación TOTP persiste durante 24 horas (TTL de caché predeterminado), proporcionando una ventana excesiva durante la cual el espacio de claves completo de 1.000.000 códigos (000000–999999) puede ser agotado. A tasas de solicitud prácticas (~500 solicitudes/s), el ataque se completa en aproximadamente 33 minutos en el peor de los casos. Esta vulnerabilidad está corregida en 4.8.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-307"},{"lang":"en","value":"CWE-799"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*","versionEndExcluding":"4.8.1","matchCriteriaId":"9BA07C84-FDE1-4049-A576-D259B0888E84"}]}]}],"references":[{"url":"https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}