CVE-2026-56450
MediumCVSS 5.1Exploitation Probability (EPSS)
Low risk25th percentile — higher than 25% of all known CVEs
Summary
AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who reached the 2FA verification step could submit an unlimited number of OTP guesses, potentially leading to unauthorized account access.
Risk Assessment
The lack of restrictions on OTP verification attempts poses a risk that an attacker could gain access to a user's account by bypassing the second authentication factor.
Recommendation
It is recommended to implement the patch that introduces per-user failed-OTP tracking and blocks verification after 30 failed attempts for one hour.
Original NVD description (English source)
AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access. The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.

