Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects the hard prerequisite of a compromised target password; C:L/I:L because account access grants read and limited write within that account's AIL scope.
Primary rating from Vendor (CIRCL).
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access.
The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.
AnalysisAI
Unlimited OTP brute-force against AIL Framework's two-factor authentication endpoint allows an attacker who already possesses a valid account password to bypass the second authentication factor entirely and gain unauthorized account access. The verify_2fa() route accepted an unbounded number of OTP submissions without incrementing a failure counter or enforcing a lockout, and the implementation uses counter-based HOTP rather than time-limited TOTP, removing the time-window throttle that would otherwise constrain brute-force speed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have already completed the first authentication stage, meaning they must possess a valid AIL username and corresponding password - without these, the verify_2fa endpoint is unreachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score is 5.1 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has acquired a valid AIL user's password through credential phishing or a breach of an external credential store submits it at the login page and reaches the OTP verification screen. The attacker then scripts rapid HTTP POST requests to the verify_2fa endpoint, cycling through counter-window HOTP values or sequential 6-digit codes. … |
| Remediation | The primary remediation is to update AIL Framework to a commit at or beyond d3a394fe68fd5aeee86f3a3c91d4a0350f91e974, available at https://github.com/ail-project/ail-framework/commit/d3a394fe68fd5aeee86f3a3c91d4a0350f91e974. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ail Framework
View allStored cross-site scripting in AIL Framework <6.8 allows authenticated high-privilege attackers to inject malicious Java
Authenticated path traversal in AIL Framework (CIRCL's Analysis Information Leak threat-intel platform) lets a low-privi
Global.py in AIL framework 2.8 allows path traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exp
Path traversal in AIL Framework's PDF object handling lets an authenticated user read files outside the intended PDF sto
Path traversal in AIL Framework's `/objects/item/diff` endpoint exposes gzip-compressed server-side files to authenticat
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38239
GHSA-hc8r-p4jw-p6fr