CVE-2026-32729

Name of the Vulnerable Software and Affected Versions Runtipi versions prior to 4.8.1

Description Runtipi is a personal homeserver orchestrator. The /api/auth/verify-totp endpoint lacks rate limiting, attempt counting, or account lockout mechanisms. An attacker with valid user credentials obtained through methods like phishing or credential stuffing can brute-force the 6-digit TOTP code, bypassing two-factor authentication. The TOTP verification session lasts 24 hours, allowing for exhaustive testing of the 1,000,000 possible codes. At a request rate of approximately 500 requests per second, a successful attack can take around 33 minutes. The vulnerable parameter is the TOTP code submitted to the /api/auth/verify-totp endpoint.

Recommendations Versions prior to 4.8.1 should be updated to version 4.8.1 or later.