Description
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender. Note resetting the MFA token requires a correct password, so the potential impact for this is very low. Version 5.0.0 fixes the issue. No known workarounds are available.
Published: 2026-06-17
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vantage6 allows resetting the MFA token through API routes that send reminder emails. The service does not enforce a limit on the number of emails sent, so an attacker who can provide a valid password could trigger hundreds or thousands of emails to a target’s mailbox. While each email requires a correct password, the attack does not compromise credentials or confidentiality. The consequence is primarily a disruption to the target's mail flow and potential abuse of the SMTP server as a spam source, reflecting a low-impact denial‑of‑service scenario. The weakness corresponds to CWE‑400, an Uncontrolled Resource Consumption flaw.

Affected Systems

The issue affects the Vantage6 platform implemented by the vendor Vantage6 before version 5.0.0. The 5.0.0 release and later versions contain a fix that imposes a limit on reset‑related emails.

Risk and Exploitability

The CVSS score of 2.1 indicates a low severity vulnerability. The EPSS score of less than 1% suggests that exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to know a valid user password; therefore, credential compromise is a prerequisite. Given the low probability of exploitation and the minimal impact, the overall risk to systems that have not yet applied the patch is limited.

Generated by OpenCVE AI on June 18, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vantage6 to version 5.0.0 or later to enforce an email limit on MFA reset.
  • Where immediate upgrade is not possible, configure the SMTP server to throttle or rate‑limit messages from the Vantage6 host to mitigate potential email flooding.
  • Continuously monitor the SMTP logs for unusual email traffic originating from Vantage6 and apply additional application‑level limits if available.

Generated by OpenCVE AI on June 18, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5549-c5q7-fj65 Vantage6: No limit on emails sent for password/MFA reset
History

Thu, 18 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Vantage6
Vantage6 vantage6
Vendors & Products Vantage6
Vantage6 vantage6

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender. Note resetting the MFA token requires a correct password, so the potential impact for this is very low. Version 5.0.0 fixes the issue. No known workarounds are available.
Title Vantage6: No limit on emails sent for password/MFA reset
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Vantage6 Vantage6
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T12:43:29.340Z

Reserved: 2024-01-29T20:51:26.013Z

Link: CVE-2024-24769

cve-icon Vulnrichment

Updated: 2026-06-18T12:43:22.963Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:00:11Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption