HOMEVULNERABILITIESCVE-2026-56450
MEDIUM

CVE-2026-56450

CWE-307Published: June 22, 2026· Updated: Jun 22, 2026

5.1
CVSS v3.1
EPSS:0.33%probability of exploitation in 30 daysPercentile:24.6th

Official Description

AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access.

The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.

NVD Source

Technical Analysis

CVE-2026-56450 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation does not require any privileges, though user interaction (A) is needed, which slightly reduces the risk of mass automated attacks.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionA
ScopeX
Impact
Confidentiality
Integrity
Availability
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (1)

Quick Facts

CVE IDCVE-2026-56450
CVSS Score5.1 / 10
SeverityMEDIUM
WeaknessCWE-307
CISA KEVNo
EPSS (30d)0.33%
PublishedJun 22, 2026

Related CVEs (CWE-307)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-56450 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.