Medium severity5.9NVD Advisory· Published May 5, 2026· Updated May 12, 2026

CVE-2026-28510

Description

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.

Affected products

Elabftw/Elabftwreferences2 versions
(expand)+ 1 more
- (no CPE)
- cpe:2.3:a:elabftw:elabftw:*:*:*:*:*:*:*:*range: <5.4.2

Patches

8b7a575aef12

cleanup: login/mfa: remove useless request fallback

https://github.com/elabftw/elabftwNicolas CARPiMar 1, 2026via nvd-ref

commit

1 file changed · +1 −1

src/Controllers/LoginController.php+1 −1 modified

@@ -358,7 +358,7 @@ private function getAuthService(): AuthInterface
                 // MFA AUTH
             case AuthType::Mfa:
                 return new Mfa(
-                    new MfaHelper($this->Session->get('mfa_secret') ?? $this->Request->request->get('mfa_secret')),
+                    new MfaHelper($this->Session->get('mfa_secret')),
                     $this->Session->get('auth_userid'),
                     $this->Request->request->getAlnum('mfa_code'),
                 );

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/elabftw/elabftw/commit/8b7a575aef128870861187eaa2b2f0f08654ecf9nvdPatch
github.com/elabftw/elabftw/security/advisories/GHSA-x5wv-c9q4-fj65nvdMitigationVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000