Description
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.
Published: 2026-06-22
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker who has both a user's password and the recovery codes to submit the same code multiple times concurrently, creating more than one authenticated session per code. The issue stems from a race condition (CWE-362) and improper state handling (CWE-841). This defeats the intended single‑use guarantee of recovery codes, substantially extending the attacker's window of access.

Affected Systems

The vulnerability affects Filament versions 4.0.0 through 4.11.5 and 5.6.5. Only app‑based multi‑factor authentication with recovery codes enabled is impacted; email‑based MFA is unaffected.

Risk and Exploitability

The CVSS score of 7.4 indicates moderate‑to‑high severity. EPSS data is unavailable and the flaw is not listed in CISA KEV, so the current exploitation probability remains uncertain. An attacker must acquire the victim’s password and recovery codes and then submit them from multiple concurrent sessions, a path that is feasible through normal application usage once credentials are compromised.

Generated by OpenCVE AI on June 22, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Filament to version 4.11.5 or 5.6.5, which contains the fix for the recovery‑code replay issue.
  • Revoke existing recovery codes and generate new ones after upgrading, ensuring that only fresh codes remain in use.
  • Encourage users to enable email‑based MFA or disable recovery codes entirely if they are not required for their workflow.

Generated by OpenCVE AI on June 22, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.
Title Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission
Weaknesses CWE-362
CWE-841
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T21:42:19.537Z

Reserved: 2026-05-21T16:18:10.618Z

Link: CVE-2026-48505

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-841

    Improper Enforcement of Behavioral Workflow