CVE Catalog

CVE-2026-56450

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile — higher than 25% of all known CVEs

Summary

AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who reached the 2FA verification step could submit an unlimited number of OTP guesses, potentially leading to unauthorized account access.

Risk Assessment

The lack of restrictions on OTP verification attempts poses a risk that an attacker could gain access to a user's account by bypassing the second authentication factor.

Recommendation

It is recommended to implement the patch that introduces per-user failed-OTP tracking and blocks verification after 30 failed attempts for one hour.

Original NVD description (English source)

AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access. The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS