CVE-2026-56450

AIL Framework - Missing Rate Limiting Enables Brute-Force Attacks Against Two-Factor Authentication Codes

Assigner: CIRCL
Reserved: 22.06.2026 Published: 22.06.2026 Updated: 22.06.2026

AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access.

The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	ail project
Product	ail framework
Versions	Default: unaffected affected from 0 to 6.8.0 (incl.)

Vendor

ail project

Product

ail framework

Versions

Default: unaffected

affected from 0 to 6.8.0 (incl.)

Credits

Aurelien Thirion remediation developer
Stephen O finder

References

Problem Types

CWE-307 Improper Restriction of Excessive Authentication Attempts CWE

Impacts

CAPEC-112 Brute Force