What is the CVSS score of CVE-2026-32729?

CVE-2026-32729 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Runtipi are affected by CVE-2026-32729?

CVE-2026-32729 is a high-severity authentication bypass vulnerability in Runtipi that allows attackers with stolen credentials to circumvent two-factor authentication within 33 minutes through TOTP…

How to fix or mitigate CVE-2026-32729?

Within 24 hours: Identify all Runtipi instances in your environment and document current versions. Within 7 days: Upgrade all Runtipi deployments to version 4.8.1 or later; conduct credential audit and reset passwords for all accounts, particularly administrative users. Within 30 days: Review access logs for suspicious authentication attempts; implement multi-factor authentication through alternative mechanisms if available; establish inventory management for third-party orchestration tools.

Runtipi CVE-2026-32729

HIGH

Improper Restriction of Excessive Authentication Attempts (CWE-307)

2026-03-13 GitHub_M

Authentication Bypass Runtipi

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 13, 2026 - 22:01 vuln.today

CVE Published

Mar 13, 2026 - 21:41 nvd

HIGH 8.1

DescriptionGitHub Advisory

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000-999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1.

AnalysisAI

Critical authentication bypass vulnerability in Runtipi (versions prior to 4.8.1), a personal homeserver orchestrator, where attackers with stolen credentials can brute-force TOTP codes due to missing rate limiting. The vulnerability allows complete bypass of two-factor authentication in approximately 33 minutes, effectively compromising account security. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain valid user credentials

Delivery

Send repeated TOTP verification requests

Exploit

Brute-force 6-digit code within 24-hour session

Execution

Bypass two-factor authentication

Impact

Access authenticated account

Access

Obtain valid user credentials

Delivery

Send repeated TOTP verification requests

Exploit

Brute-force 6-digit code within 24-hour session

Execution

Bypass two-factor authentication

Impact

Access authenticated account

Vulnerability AssessmentAI

Exploitation	Runtipi /api/auth/verify-totp endpoint requires only valid username/password credentials (no prior 2FA bypass needed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 score of 8.1 (High) reflects network-based attack vector (AV:N) with low complexity (AC:L) requiring low privileges (PR:L), resulting in high confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker first obtains valid user credentials through phishing, credential stuffing, or a data breach. They then target the /api/auth/verify-totp endpoint, systematically submitting TOTP codes from 000000 to 999999. …
Remediation	The primary remediation is to upgrade Runtipi to version 4.8.1 or later, which implements proper rate limiting and authentication controls. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Runtipi instances in your environment and document current versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47277 MEDIUM This Month

6.5 Jun 16

Arbitrary file read in Runtipi 4.9.1-4.9.3 exposes sensitive container secrets via symlink following in an unauthenticat

CVE-2026-32729 vulnerability details – vuln.today

Back