CVE-2026-32729
Published: 16 March 2026
Summary
CVE-2026-32729 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Runtipi Runtipi. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and AU-12 (Audit Record Generation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-7 directly enforces limits on unsuccessful logon attempts, account lockouts, and brute-force detection, preventing exhaustion of the 6-digit TOTP keyspace.
SC-5 provides denial-of-service protections to limit excessive authentication requests at practical rates like 500 req/s, reducing the feasibility of TOTP brute-forcing.
AU-12 mandates audit records for invalid logon attempts, enabling identification of brute-force attacks on the /api/auth/verify-totp endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing /api/auth/verify-totp endpoint (no rate limiting) directly enables remote brute-force guessing of TOTP codes to bypass 2FA after valid credentials are obtained.
NVD Description
Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data…
more
breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1.
Deeper analysisAI
CVE-2026-32729 affects Runtipi, a personal homeserver orchestrator, in versions prior to 4.8.1. The vulnerability resides in the /api/auth/verify-totp endpoint, which lacks rate limiting, attempt counting, or account lockout mechanisms. This allows brute-force attacks against 6-digit Time-based One-Time Password (TOTP) codes used for two-factor authentication (2FA). The TOTP verification session persists for 24 hours by default (cache TTL), exposing the full 1,000,000-code keyspace (000000–999999). The issue is rated CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-799 (Improper Control of Interaction Frequency).
An attacker with a user's valid credentials—obtained via phishing, credential stuffing, or data breach—can exploit this remotely over the network with low privileges (PR:L). By sending repeated requests at practical rates of approximately 500 per second, they can exhaust the TOTP keyspace in about 33 minutes in the worst case, fully bypassing 2FA and gaining unauthorized access to the account. This grants high confidentiality and integrity impacts, enabling control over the affected Runtipi instance.
The vulnerability is fixed in Runtipi version 4.8.1. For full details on the patch and mitigation, refer to the GitHub Security Advisory at https://github.com/runtipi/runtipi/security/advisories/GHSA-v6gf-frxm-567w.
Details
- CWE(s)