Description
Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1.
Published: 2026-03-13
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: BypassTwoFactorAuthentication
Action: Patch
AI Analysis

Impact

The vulnerability in Runtipi allows attackers to bypass the two‑factor authentication mechanism by brute‑forcing the 6‑digit TOTP code through the `/api/auth/verify-totp` endpoint. Because no rate limiting, attempt counting, or account lockout is enforced, an attacker who already possesses a valid username and password can try every possible code. The verification session persists for 24 hours, giving the attacker a full 1,000,000‑code keyspace. At a practical request rate of about 500 requests per second, an exhaustive attack would complete in roughly 33 minutes in the worst case, granting the attacker full access to the user’s account and any privileges it holds.

Affected Systems

All Runtipi releases prior to version 4.8.1 are affected. The affected product is runtipi:runtipi. Any deployment using a version older than 4.8.1 with the `/api/auth/verify-totp` endpoint accessible is vulnerable.

Risk and Exploitability

The CVSS base score of 8.1 (High) reflects the severity of the bypass. EPSS is under 1% and the vulnerability is not listed in CISA’s KEV catalog, indicating limited current exploitation activity. Attackers must first obtain valid credentials through phishing, credential stuffing, or a data breach, and then remotely hit the authenticated endpoint. Once credentials are known, the lack of rate limiting makes the attack highly feasible and the risk of compromise substantial.

Generated by OpenCVE AI on March 17, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Runtipi release (4.8.1 or newer) to eliminate the TOTP brute‑force vulnerability.
  • Ensure all deployed instances are updated promptly to the patched version.
  • If immediate patching is delayed, implement network‑level controls to restrict access to the `/api/auth/verify-totp` endpoint or disable external access to that endpoint.

Generated by OpenCVE AI on March 17, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Runtipi
Runtipi runtipi
Vendors & Products Runtipi
Runtipi runtipi

Fri, 13 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1.
Title Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`
Weaknesses CWE-307
CWE-799
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Runtipi Runtipi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T20:22:43.613Z

Reserved: 2026-03-13T15:02:00.626Z

Link: CVE-2026-32729

cve-icon Vulnrichment

Updated: 2026-03-16T20:20:39.824Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:43.400

Modified: 2026-03-17T19:01:54.250

Link: CVE-2026-32729

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:11Z

Weaknesses