AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access. The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.
History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Ail-project
Ail-project ail-framework
Vendors & Products Ail-project
Ail-project ail-framework

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access. The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.
Title AIL Framework - Missing Rate Limiting Enables Brute-Force Attacks Against Two-Factor Authentication Codes
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published: 2026-06-22T13:02:30.320Z

Updated: 2026-06-22T15:48:49.228Z

Reserved: 2026-06-22T13:02:27.234Z

Link: CVE-2026-56450

cve-icon Vulnrichment

Updated: 2026-06-22T15:48:42.603Z

cve-icon NVD

No data.

cve-icon Redhat

No data.