CVE-2026-28510

Published: Mag 05, 2026 Last Modified: Mag 05, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,9

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: high

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.

302

Authentication Bypass by Assumed-Immutable Data

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Bypass Protection Mechanism

Applicable Platforms

Technologies: Not Technology-Specific, Web Based

View CWE Details

https://github.com/elabftw/elabftw/commit/8b7a575aef1288708…

https://github.com/elabftw/elabftw/commit/8b7a575aef128870861187eaa2b2f0f08654e…

https://github.com/elabftw/elabftw/security/advisories/GHSA…

https://github.com/elabftw/elabftw/security/advisories/GHSA-x5wv-c9q4-fj65

CVE-2026-28510

Description

Authentication Bypass by Assumed-Immutable Data

Common Consequences

Applicable Platforms

Iscriviti alla newsletter