Vantage6: No limit on emails sent for password/MFA reset
Description
vantage6 allows unlimited MFA token reset emails, potentially causing DoS and SMTP server issues, but requires a valid password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
vantage6 allows unlimited MFA token reset emails, potentially causing DoS and SMTP server issues, but requires a valid password.
Vulnerability
In vantage6 versions prior to 5.0.1, users could request MFA token reset emails via API routes without any limit on the number of emails sent. This vulnerability exists in the API routes responsible for MFA token resets [4].
Exploitation
An attacker needs a user's correct password to initiate an MFA token reset. Once authenticated, the attacker can repeatedly call the API routes to send an unlimited number of emails, aiming to flood the target's mailbox [4].
Impact
The primary impact is a denial-of-service condition, where an attacker can flood a user's mailbox with emails, potentially causing the SMTP server to be flagged as a spam sender. However, since a correct password is required for the initial reset, the overall potential impact is considered very low [4].
Mitigation
Versions 5.0.0 and later have addressed this issue by moving to Keycloak for authentication, which prevents unlimited MFA reset emails [1]. There are no specific patches or workarounds mentioned for earlier versions, and the vulnerability is not listed as a known exploited vulnerability [4].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4News mentions
0No linked articles in our index yet.