Description
eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.
Published: 2026-05-05
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Version‑by‑version eLabFTW (elabftw) suffered a login flaw that prevented the system from reliably carrying forward the multi‑factor authentication (MFA) status during the authentication sequence. An attacker who possessed a legitimate primary username and password could supply a malicious TOTP secret and complete the login process without presenting the second factor. The result is that the compromised account is fully authenticated under the attacker’s control, giving them full access to the user’s data. The weakness is a classic authentication bypass, formally mapped to CWE‑302.

Affected Systems

This issue affects all eLabFTW deployments up to and including version 5.4.1. Users running any of these releases are vulnerable, while any installation on version 5.4.2 or later is not susceptible because the login logic has been corrected.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity; however, because the attack requires only valid primary credentials (which the user must). The EPSS score is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. In environments where MFA is heavily relied upon, the flaw represents a direct loss of that additional security layer. An attacker with the necessary credentials can effect the exploit in a single authenticated step, making the vulnerability relatively straightforward if the conditions are met.

Generated by OpenCVE AI on May 5, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade eLabFTW to version 5.4.2 or later to apply the official fix for the MFA state preservation bug
  • If an upgrade is not immediately possible, disable MFA for the affected accounts until the patch can be applied
  • Continuously monitor authentication logs for unexpected MFA bypass attempts and investigate any suspicious access patterns

Generated by OpenCVE AI on May 5, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Elabftw
Elabftw elabftw
Vendors & Products Elabftw
Elabftw elabftw

Tue, 05 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.
Title elabftw allows MFA bypass during login
Weaknesses CWE-302
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Elabftw Elabftw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T12:28:10.380Z

Reserved: 2026-02-27T20:57:47.709Z

Link: CVE-2026-28510

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T13:16:28.667

Modified: 2026-05-05T13:16:28.667

Link: CVE-2026-28510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T15:45:15Z

Weaknesses