CVE-2026-28510

EPSS 0.25%
Veröffentlicht 05.05.2026 13:16:28
Zuletzt bearbeitet 12.05.2026 13:58:22
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

elabftw allows MFA bypass during login

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Elabftw ≫ Elabftw Version < 5.4.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.165

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.9	0.7	5.2	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-302 Authentication Bypass by Assumed-Immutable Data

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

https://github.com/elabftw/elabftw/commit/8b7a575aef128870861187eaa2b2f0f08654ecf9

Patch

https://github.com/elabftw/elabftw/security/advisories/GHSA-x5wv-c9q4-fj65

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-28510

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-28510

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-28510

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-28510