GHSA-qq2p-4282-cfc5: eduMFA: Incorrect InnoDB snapshot isolation possibly allows token reusage

May 18, 2026

For deployments using MySQL or MariaDB < 11.6.2 (or newer with innodb_snapshot_isolation=off) reusage of token values might be possible due to faulty transaction isolation inside the database. Exploiting this requires racing this transaction. Affected are all tokentypes whose values are only supposed to be used once, for example TOTP, HOTP and likely also WebAuthN.

References

github.com/advisories/GHSA-qq2p-4282-cfc5
github.com/eduMFA/eduMFA/security/advisories/GHSA-qq2p-4282-cfc5

Code Behaviors & Features

Detect and mitigate GHSA-qq2p-4282-cfc5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →