CVE-2026-28510

EUVD-2026-27311

05.05.2026, 13:16

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 16%

Affected Products (NVD)

Vendor	Product	Version
elabftw	elabftw	𝑥 < 5.4.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-302 - Authentication Bypass by Assumed-Immutable Data
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

References

https://github.com/elabftw/elabftw/commit/8b7a575aef128870861187eaa2b2f0f08654ecf9

https://github.com/elabftw/elabftw/security/advisories/GHSA-x5wv-c9q4-fj65