CVE-2024-27928
MEDIUMVantage6: 2FA can be circumvented with hacked email access
Title source: cnaDescription
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/vantage6/vantage6/security/advisories/GHSA-4c5c-2vc3-x5w2
X_Refsource_Misc x_refsource_misc
https://github.com/vantage6/vantage6/issues/1932
X_Refsource_Misc x_refsource_misc
https://github.com/vantage6/vantage6/blob/main/docs/release_notes.rst#500
Scores
CVSS v4
5.9
EPSS
0.0046
EPSS Percentile
36.2%
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-308
Status
published
Products (1)
vantage6/vantage6
< 5.0.0
Published
Jun 17, 2026
Tracked Since
Jun 18, 2026