Cyber Resilience

CVE-2026-32133

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v4 7.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 39.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32133 is a high-severity SSRF (CWE-918) vulnerability in 2Fauth 2Fauth. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-32133 is a blind server-side request forgery (SSRF) vulnerability in 2FAuth, a web application for managing two-factor authentication (2FA) accounts and generating security codes. The issue affects versions prior to 6.1.0 and stems from improper validation of the image parameter in OTP URLs, which allows HTTP requests to arbitrary destinations, including internal or private IP addresses, before any response validation occurs. A prior fix had introduced response checks to ensure only valid images are stored, but it did not prevent the initial requests. The vulnerability is classified under CWE-918 with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Authenticated users can exploit this vulnerability to initiate arbitrary HTTP requests from the 2FAuth server to internal networks and cloud metadata endpoints. This enables attackers with server access to scan or interact with resources inaccessible from the public internet, potentially leading to high confidentiality and integrity impacts as indicated by the CVSS score.

The vulnerability is addressed in 2FAuth version 6.1.0. Additional details are available in the security advisory at https://github.com/Bubka/2FAuth/security/advisories/GHSA-8qp3-x2mp-j6f8.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal…

more

networks and cloud metadata endpoints. The image parameter in OTP URL is not properly validated for internal / private IP addresses before making HTTP requests. While the previous fix added response validation to ensure only valid images are stored but HTTP request is still made to arbitrary URLs before this validation occurs. This vulnerability is fixed in 6.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

Blind SSRF enables internal network service discovery via arbitrary HTTP requests (T1046) and direct access to cloud instance metadata endpoints for both system discovery (T1522) and credential theft (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25991Shared CWE-918
CVE-2026-42141Shared CWE-918
CVE-2026-30232Shared CWE-918
CVE-2026-38527Shared CWE-918
CVE-2026-31941Shared CWE-918
CVE-2026-34746Shared CWE-918
CVE-2026-4302Shared CWE-918
CVE-2026-40348Shared CWE-918
CVE-2026-28680Shared CWE-918
CVE-2026-28508Shared CWE-918

Affected Assets

2fauth
2fauth
≤ 6.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of the image parameter in OTP URLs to block HTTP requests to arbitrary internal or private IP addresses before they are made.

preventdetect

Monitors and controls outbound communications at system boundaries to block or detect requests from the 2FAuth server to internal networks and cloud metadata endpoints.

prevent

Enforces information flow policies to prohibit unauthorized flows from the web application to private IPs and internal resources exploited in this SSRF vulnerability.

References