CVE-2024-27928: Vantage6: 2FA can be circumvented with hacked email access

June 5, 2026

If an attacker hacks into a vantage6 user’s email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access).

Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues.

References

github.com/advisories/GHSA-4c5c-2vc3-x5w2
github.com/vantage6/vantage6/blob/main/docs/release_notes.rst
github.com/vantage6/vantage6/issues/1932
github.com/vantage6/vantage6/security/advisories/GHSA-4c5c-2vc3-x5w2
nvd.nist.gov/vuln/detail/CVE-2024-27928

Code Behaviors & Features

Detect and mitigate CVE-2024-27928 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →