CVE-2026-32133

Name of the Vulnerable Software and Affected Versions 2FAuth versions prior to 6.1.0

Description 2FAuth is a web application designed for managing Two-Factor Authentication (2FA) accounts and generating security codes. A blind Server-Side Request Forgery (SSRF) issue exists in versions prior to 6.1.0, allowing authenticated users to send arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The image parameter within the OTP URL is not adequately validated for internal or private IP addresses before HTTP requests are initiated. Although a previous fix implemented response validation to ensure only valid images are stored, the HTTP request to arbitrary URLs still occurs before this validation step. This allows attackers to potentially access sensitive information or interact with internal resources.

Recommendations Versions prior to 6.1.0 should be updated to version 6.1.0 or later.