CVE-2026-56450
AIL Framework - Missing Rate Limiting Enables Brute-Force Attacks Against Two-Factor Authentication Codes
Description
AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access. The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.
INFO
Published Date :
June 22, 2026, 1:02 p.m.
Last Modified :
June 22, 2026, 1:02 p.m.
Remotely Exploit :
Yes !
Source :
CIRCL
Affected Products
The following products are affected by CVE-2026-56450
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | MEDIUM | 5a6e4751-2f3f-4070-9419-94fb35b644e8 |
Solution
- Apply the vendor patch to restrict OTP verification attempts.
- Track failed OTP attempts per user.
- Block verification after 30 failed attempts for one hour.
- Clear OTP failure counter on successful verification.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-56450 vulnerability anywhere in the article.