Description
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available.
Published: 2026-06-17
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A compromise of a user’s email account allows an attacker to reset the user’s password through the standard email verification process and then reset the two‑factor authentication token via the same mechanism. The attacker effectively reduces the user’s authentication method from two‑factor to single‑factor, enabling full access to the victim’s account. The weakness is a flaw in the handling of email‑based password and 2FA reset procedures (CWE‑308).

Affected Systems

The vulnerability exists in Vantage6, the open‑source privacy‑preserving analysis platform, in all releases prior to version 5.0.0. Users of earlier versions are susceptible to this attack. The vendor has released an update in version 5.0.0 that removes the flaw.

Risk and Exploitability

The CVSS base score of 5.9 indicates moderate severity while the EPSS score of less than 1 % reflects a very low likelihood of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Exploitation requires the attacker to already possess access to the victim’s email account, a scenario that is plausible but mitigated by most email providers’ own 2FA requirements. Nonetheless, once email access is achieved, the attacker can immediately hijack the Vantage6 account by resetting the password and 2FA token.

Generated by OpenCVE AI on June 18, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vantage6 to version 5.0.0 or later to eliminate the vulnerability
  • If upgrading immediately is not possible, disable or block the ability for users to reset passwords or 2FA tokens via email until a patch is applied
  • Enforce strict email account security by requiring strong passwords and 2FA for all user mailboxes and monitor for suspicious login activity

Generated by OpenCVE AI on June 18, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4c5c-2vc3-x5w2 Vantage6: 2FA can be circumvented with hacked email access
History

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Vantage6
Vantage6 vantage6
Vendors & Products Vantage6
Vantage6 vantage6

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available.
Title Vantage6: 2FA can be circumvented with hacked email access
Weaknesses CWE-308
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Vantage6 Vantage6
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T12:57:34.777Z

Reserved: 2024-02-28T15:14:14.215Z

Link: CVE-2024-27928

cve-icon Vulnrichment

Updated: 2026-06-18T12:57:31.391Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-308

    Use of Single-factor Authentication