CVE-2026-32133
Published: 11 March 2026
Summary
CVE-2026-32133 is a critical-severity SSRF (CWE-918) vulnerability in 2Fauth 2Fauth. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of the image parameter in OTP URLs to block HTTP requests to arbitrary internal or private IP addresses before they are made.
Monitors and controls outbound communications at system boundaries to block or detect requests from the 2FAuth server to internal networks and cloud metadata endpoints.
Enforces information flow policies to prohibit unauthorized flows from the web application to private IPs and internal resources exploited in this SSRF vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Blind SSRF enables internal network service discovery via arbitrary HTTP requests (T1046) and direct access to cloud instance metadata endpoints for both system discovery (T1522) and credential theft (T1552.005).
NVD Description
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal…
more
networks and cloud metadata endpoints. The image parameter in OTP URL is not properly validated for internal / private IP addresses before making HTTP requests. While the previous fix added response validation to ensure only valid images are stored but HTTP request is still made to arbitrary URLs before this validation occurs. This vulnerability is fixed in 6.1.0.
Deeper analysisAI
CVE-2026-32133 is a blind server-side request forgery (SSRF) vulnerability in 2FAuth, a web application for managing two-factor authentication (2FA) accounts and generating security codes. The issue affects versions prior to 6.1.0 and stems from improper validation of the image parameter in OTP URLs, which allows HTTP requests to arbitrary destinations, including internal or private IP addresses, before any response validation occurs. A prior fix had introduced response checks to ensure only valid images are stored, but it did not prevent the initial requests. The vulnerability is classified under CWE-918 with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Authenticated users can exploit this vulnerability to initiate arbitrary HTTP requests from the 2FAuth server to internal networks and cloud metadata endpoints. This enables attackers with server access to scan or interact with resources inaccessible from the public internet, potentially leading to high confidentiality and integrity impacts as indicated by the CVSS score.
The vulnerability is addressed in 2FAuth version 6.1.0. Additional details are available in the security advisory at https://github.com/Bubka/2FAuth/security/advisories/GHSA-8qp3-x2mp-j6f8.
Details
- CWE(s)