Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attacker must already hold password and recovery codes (PR:H); AC:H for race window; impact is session-count amplification only, not new C/I compromise, so C:L/I:L/A:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.
AnalysisAI
Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires four concrete conditions: (1) the target Filament instance must be on an affected version (4.0.0-4.11.4 or 5.0.0-5.6.4); (2) app-based (TOTP) MFA must be enabled - email-based MFA is explicitly unaffected; (3) the recovery-codes feature must be enabled in the MFA configuration; and (4) the attacker must already possess BOTH the victim user's password AND at least one of their unused recovery codes obtained out-of-band (phishing, credential stuffing, prior breach). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N vector yields 7.4 (High), but real-world risk is substantially lower than the headline number suggests because this is a post-compromise amplification flaw rather than a standalone access vector - exploitation presupposes the attacker already holds the victim's password AND their recovery codes, conditions not modeled in PR:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has previously phished or otherwise stolen a Filament admin user's password and recovery code set scripts a small concurrent HTTP client (e.g., 10 parallel curl/async requests) to submit the same recovery code to the MFA verification endpoint simultaneously. The race window allows several requests to pass validation before the code is marked consumed, returning multiple valid session cookies the attacker can distribute across IPs to evade single-session anomaly detection. … |
| Remediation | Vendor-released patch: upgrade to Filament 4.11.5 (for the 4.x branch) or 5.6.5 (for the 5.x branch) as documented in GHSA-mc5j-f6wx-h9qh at https://github.com/filamentphp/filament/security/advisories/GHSA-mc5j-f6wx-h9qh. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Filament installations and identify which versions (4.0.0-4.11.4 or 5.0.0-5.6.4) are deployed. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x throu
Stored cross-site scripting in Filament's ImageColumn and ImageEntry components allows low-privileged authenticated atta
Filament is a collection of full-stack components for Laravel development. Rated medium severity (CVSS 6.1), this vulner
Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38392
GHSA-mc5j-f6wx-h9qh