Skip to main content

eLabFTW CVE-2026-28510

| EUVDEUVD-2026-27311 MEDIUM
Authentication Bypass by Assumed-Immutable Data (CWE-302)
2026-05-05 GitHub_M
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 13:31 vuln.today
Analysis Generated
May 05, 2026 - 13:31 vuln.today

DescriptionGitHub Advisory

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.

AnalysisAI

Multi-factor authentication bypass in eLabFTW through version 5.4.1 allows attackers with valid primary credentials to complete login using an attacker-controlled TOTP secret, circumventing the second factor requirement and gaining unauthorized account access. The vulnerability stems from inconsistent MFA state preservation across authentication steps. This issue is patched in version 5.4.2.

Technical ContextAI

eLabFTW is an open-source electronic lab notebook platform written in PHP. The vulnerability exists in the LoginController.php authentication flow, specifically in the MfaHelper instantiation during the multi-factor authentication validation step. The affected code previously accepted MFA secrets from both the session (server-side state) and directly from user-supplied request parameters, creating a race condition or logic flaw where an attacker could supply their own TOTP secret if the session state was not properly initialized. The fix (commit 8b7a575) restricts MFA secret retrieval to only the session object, eliminating the fallback to user-controlled request parameters. CWE-302 (Authentication Bypass by Alternate Name) indicates the root cause is improper validation of authentication credentials or state.

RemediationAI

Vendor-released patch: eLabFTW 5.4.2. Users should upgrade immediately from version 5.4.1 or earlier to 5.4.2 or later. The patch modifies LoginController.php to retrieve the MFA secret exclusively from the session object, eliminating the code path that allowed user-supplied TOTP secrets. For users unable to upgrade immediately, compensating controls include enforcing strong password policies to reduce the likelihood of valid credential compromise, implementing account lockout policies after failed authentication attempts, and monitoring authentication logs for unusual patterns (e.g., successful logins from new IP addresses immediately after MFA prompts). However, these controls do not address the underlying MFA bypass and should only be temporary measures. Apply the patch within 7 days for production environments.

CVE-2021-41171 HIGH POC
8.8 Oct 22

eLabFTW is an open source electronic lab notebook manager for research teams. Rated high severity (CVSS 8.8), this vulne

CVE-2019-12185 HIGH POC
8.8 May 20

eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. Rated hig

CVE-2021-43834 CRITICAL
9.8 Dec 16

eLabFTW is an electronic lab notebook manager for research teams. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2024-25632 HIGH
8.8 Oct 01

eLabFTW is an open source electronic lab notebook for research labs. Rated high severity (CVSS 8.8), this vulnerability

CVE-2021-43833 HIGH
8.8 Dec 16

eLabFTW is an electronic lab notebook manager for research teams. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2025-25206 HIGH
8.3 Feb 14

eLabFTW is an open source electronic lab notebook for research labs. Rated high severity (CVSS 8.3), this vulnerability

CVE-2024-52586 HIGH
7.8 Dec 09

eLabFTW is an open source electronic lab notebook for research labs. Rated high severity (CVSS 7.8), this vulnerability

CVE-2022-31007 HIGH
7.2 May 31

eLabFTW is an electronic lab notebook manager for research teams. Rated high severity (CVSS 7.2), this vulnerability is

CVE-2024-45408 MEDIUM
6.5 Oct 01

eLabFTW is an open source electronic lab notebook for research labs. Rated medium severity (CVSS 6.5), this vulnerabilit

CVE-2024-47826 MEDIUM
6.1 Oct 14

eLabFTW is an open source electronic lab notebook for research labs. Rated medium severity (CVSS 6.1), this vulnerabilit

CVE-2024-28100 MEDIUM
5.4 Sep 02

eLabFTW is an open source electronic lab notebook for research labs. Rated medium severity (CVSS 5.4), this vulnerabilit

CVE-2024-25633 MEDIUM
5.4 Aug 15

eLabFTW is an open source electronic lab notebook for research labs. Rated medium severity (CVSS 5.4), this vulnerabilit

Share

CVE-2026-28510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy