Skip to main content

Filament CVE-2026-48505

| EUVDEUVD-2026-38392 HIGH
Race Condition (CWE-362)
2026-06-22 GitHub_M GHSA-mc5j-f6wx-h9qh
7.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
3.3 LOW

Attacker must already hold password and recovery codes (PR:H); AC:H for race window; impact is session-count amplification only, not new C/I compromise, so C:L/I:L/A:N.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:19 vuln.today

DescriptionCVE.org

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.

AnalysisAI

Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain victim password and recovery codes out-of-band
Delivery
Identify Filament MFA verification endpoint
Exploit
Submit same recovery code via N parallel HTTP requests
Execution
Race the check-then-consume window
Persist
Receive multiple valid session cookies
Impact
Distribute sessions across IPs to extend access

Vulnerability AssessmentAI

Exploitation Exploitation requires four concrete conditions: (1) the target Filament instance must be on an affected version (4.0.0-4.11.4 or 5.0.0-5.6.4); (2) app-based (TOTP) MFA must be enabled - email-based MFA is explicitly unaffected; (3) the recovery-codes feature must be enabled in the MFA configuration; and (4) the attacker must already possess BOTH the victim user's password AND at least one of their unused recovery codes obtained out-of-band (phishing, credential stuffing, prior breach). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N vector yields 7.4 (High), but real-world risk is substantially lower than the headline number suggests because this is a post-compromise amplification flaw rather than a standalone access vector - exploitation presupposes the attacker already holds the victim's password AND their recovery codes, conditions not modeled in PR:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has previously phished or otherwise stolen a Filament admin user's password and recovery code set scripts a small concurrent HTTP client (e.g., 10 parallel curl/async requests) to submit the same recovery code to the MFA verification endpoint simultaneously. The race window allows several requests to pass validation before the code is marked consumed, returning multiple valid session cookies the attacker can distribute across IPs to evade single-session anomaly detection. …
Remediation Vendor-released patch: upgrade to Filament 4.11.5 (for the 4.x branch) or 5.6.5 (for the 5.x branch) as documented in GHSA-mc5j-f6wx-h9qh at https://github.com/filamentphp/filament/security/advisories/GHSA-mc5j-f6wx-h9qh. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Filament installations and identify which versions (4.0.0-4.11.4 or 5.0.0-5.6.4) are deployed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy