EXECUTIVE SUMMARY:
CVE-2026-48505, with a CVSS score of 7.4, is a race-condition vulnerability in Filament's app-based multi-factor authentication (MFA) recovery code handling that allows a single recovery code to be redeemed multiple times when submitted concurrently. The flaw only affects environments where recovery codes are enabled for MFA. An attacker who already possesses the victim's password and a valid recovery code can send parallel authentication requests, causing the server to accept the same code multiple times before it is marked as used. This results in multiple authenticated sessions from a single recovery code, extending unauthorized access and enabling repeated privileged actions. The business impact includes unauthorized access to sensitive data, potential data exfiltration, compliance violations, and reputational damage, particularly in environments that rely on the single-use guarantee of recovery codes for session security. Exploitation requires the attacker to have valid credentials and the ability to generate concurrent network requests. Email-based MFA is not affected, and the issue cannot be exploited if the recovery code feature is disabled.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48505, with a CVSS score of 7.4, is a race-condition vulnerability in Filament's app-based multi-factor authentication (MFA) recovery code handling that allows a single recovery code to be redeemed multiple times when submitted concurrently. The flaw only affects environments where recovery codes are enabled for MFA. An attacker who already possesses the victim's password and a valid recovery code can send parallel authentication requests, causing the server to accept the same code multiple times before it is marked as used. This results in multiple authenticated sessions from a single recovery code, extending unauthorized access and enabling repeated privileged actions. The business impact includes unauthorized access to sensitive data, potential data exfiltration, compliance violations, and reputational damage, particularly in environments that rely on the single-use guarantee of recovery codes for session security. Exploitation requires the attacker to have valid credentials and the ability to generate concurrent network requests. Email-based MFA is not affected, and the issue cannot be exploited if the recovery code feature is disabled.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-mc5j-f6wx-h9qh