CVE-2026-48505

EPSS 0.19%
Veröffentlicht 22.06.2026 21:39:26
Zuletzt bearbeitet 23.06.2026 15:16:35
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerfilamentphp

≫

Produkt filament

Version >= 4.0.0, < 4.11.5

Status affected

Version >= 5.0.0, < 5.6.5

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.091

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

CWE-841 Improper Enforcement of Behavioral Workflow

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

https://github.com/filamentphp/filament/security/advisories/GHSA-mc5j-f6wx-h9qh

https://nvd.nist.gov/vuln/detail/CVE-2026-48505

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-48505

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-48505

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-48505