Description
AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access.


The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.
Published: 2026-06-22
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AIL Framework lacked rate limiting on OTP verification attempts. Because the OTP endpoint allowed unlimited guesses after a password was supplied, an attacker could brute‑force the secondary authentication factor. This design flaw (CWE‑307) permits unauthorized account access by evading the intended two‑factor protection, compromising the confidentiality and integrity of user accounts.

Affected Systems

The issue exists in the AIL Project's AIL Framework. No specific version numbers are listed, so all deployments that use the framework’s OTP verification routine without applying the recent patch are potentially affected.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Because the patch was not yet listed in the CISA KEV catalog and the EPSS score is unavailable, no active exploitation has been confirmed. Based on the description, it is inferred that an attacker who has reached the OTP verification step can repeatedly submit guesses. Thus, the vulnerability can be exploited remotely or locally once the attacker can access the OTP endpoint. The risk is limited to accounts that use the framework and can be targeted by anyone able to reach the OTP step. The likelihood of successful brute‑force increases with the lack of a lockout mechanism, though the impact remains confined to affected deployments.

Generated by OpenCVE AI on June 22, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the patched version of the framework that introduces per‑user OTP failure counters and limits attempts to 30, after which a one‑hour lockout is enforced.
  • Restart services that rely on the framework so the new rate‑limiting logic is active and no residual configuration overrides the lockout mechanism.
  • Use the administrator recovery actions included in the patch to purge any lockouts that may have been applied mistakenly and verify account access for valid users.

Generated by OpenCVE AI on June 22, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Ail-project
Ail-project ail-framework
Vendors & Products Ail-project
Ail-project ail-framework

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access. The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.
Title AIL Framework - Missing Rate Limiting Enables Brute-Force Attacks Against Two-Factor Authentication Codes
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Ail-project Ail-framework
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-22T15:48:49.228Z

Reserved: 2026-06-22T13:02:27.234Z

Link: CVE-2026-56450

cve-icon Vulnrichment

Updated: 2026-06-22T15:48:42.603Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T17:15:03Z

Weaknesses
  • CWE-307

    Improper Restriction of Excessive Authentication Attempts