Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
2FAuth web app allows attackers to access internal networks
CVE-2026-32133
Summary
A security flaw in 2FAuth's web app could allow an attacker to access internal networks and cloud metadata. This means sensitive information could be compromised if an attacker can trick the system into making unauthorized requests. Update to version 6.1.0 to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| 2fauth | 2fauth | <= 6.1.0 | – |
Original title
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users...
Original description
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The image parameter in OTP URL is not properly validated for internal / private IP addresses before making HTTP requests. While the previous fix added response validation to ensure only valid images are stored but HTTP request is still made to arbitrary URLs before this validation occurs. This vulnerability is fixed in 6.1.0.
nvd CVSS4.0
7.8
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026