Description
Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication (TOTP) requirement entirely. Although, an attacker still needs the user's password to reach this stage. This vulnerability is fixed in 1.16.3.
Published: 2026-05-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A critical authentication bypass flaw allows an attacker who knows a valid username and password to skip the required TOTP second‑factor authentication. The vulnerability requires the attacker to already possess valid user credentials, which can be obtained through credential compromise or social engineering. Once bypassed, the attacker can access the file sharing platform with full privileges, compromising confidential data and integrity of stored files.

Affected Systems

Pingvin Share X self‑hosted file sharing platform, versions 1.14.1 through 1.16.2, provided by smp46.

Risk and Exploitability

The CVSS score of 9.1 indicates a high‑severity flaw. Although no EPSS score is available, the absence of a KEV listing does not diminish the seriousness of the issue. Exploitation requires valid credentials, making the attack vector credential‑dependent but feasible for attackers who have already stolen or guessed passwords. Given the severity and the potential for unfettered access, the risk remains substantial.

Generated by OpenCVE AI on May 12, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pingvin Share X to version 1.16.3 or later to apply the vendor‑issued fix.
  • Verify that the configuration enforces two‑factor authentication for all accounts and disable any setting that permits password‑only logins.
  • Audit login logs for unexpected or repeated successful logins that bypass TOTP and, if needed, reset credentials for affected accounts.

Generated by OpenCVE AI on May 12, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Smp46
Smp46 pingvin-share-x
Vendors & Products Smp46
Smp46 pingvin-share-x

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication (TOTP) requirement entirely. Although, an attacker still needs the user's password to reach this stage. This vulnerability is fixed in 1.16.3.
Title Pingvin Share X: TOTP Authentication Bypass via Password-only Login
Weaknesses CWE-287
CWE-697
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Smp46 Pingvin-share-x
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:49:00.840Z

Reserved: 2026-05-05T15:13:47.570Z

Link: CVE-2026-44196

cve-icon Vulnrichment

Updated: 2026-05-14T19:48:45.574Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T18:17:29.730

Modified: 2026-05-13T18:21:10.270

Link: CVE-2026-44196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:37:53Z

Weaknesses