PYSEC-2026-3398

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/vantage6/PYSEC-2026-3398.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-3398
Aliases
Published
2026-07-13T15:46:14.878751Z
Modified
2026-07-13T16:33:32.018574594Z
Severity
  • 5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Vantage6: 2FA can be circumvented with hacked email access
Details

Impact

If an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access).

Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues.

Proposed solution

Many web apps do not provide functionality to reset 2FA token (probably for this reason), but provide recovery codes as well. It would be better to provide these recovery codes to the user 1 time and then delete the option to reset it.

An alternative may be to only let server administrators reset 2FA token. However, this has as disadvantage that a hacked email account may send messages to the server admin to reset them, which they may fall for.

Patches

No

Workarounds

No

References

Affected packages

PyPI / vantage6

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.0

Affected versions

0.*
0.0.0b0
0.0.0b1
0.0.0b3
0.0.0
1.*
1.0.0a1
1.0.0a2
1.0.0b2
1.0.0b3
1.0.0b4
1.0.0b5
1.0.0b6
1.0.0b7
1.0.0b8
1.0.0b9
1.0.0b10
1.0.0b11
1.0.0b12
1.0.0b13
1.0.0b14
1.0.0
1.1.0rc1
1.1.0rc2
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.3.post2
2.*
2.0.0a1
2.0.0a2
2.0.0a3
2.0.0
2.0.0.post1
2.0.1rc1
2.0.1rc2
2.1.0rc1
2.1.0
2.1.1
2.2.0b1
2.2.0b2
2.2.0b3
2.2.0b4
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.3.0rc1
2.3.0rc2
2.3.0rc3
2.3.0rc4
2.3.0rc5
2.3.0
2.3.1
2.3.2rc1
2.3.2
2.3.3
2.3.4
2.3.5b1
2.3.5
3.*
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0b5
3.0.0b6
3.0.0b7
3.0.0b8
3.0.0rc1
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0rc1
3.1.0rc5
3.1.0rc6
3.1.0rc7
3.1.0rc8
3.1.0rc9
3.1.0
3.1.1rc1
3.1.1rc2
3.2.0rc1
3.2.0rc2
3.2.0rc3
3.2.0rc4
3.2.0rc5
3.2.0
3.3.0a0
3.3.0rc1
3.3.0rc2
3.3.0rc3
3.3.0rc4
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7a2
3.3.7a3
3.3.7
3.3.8a1
3.3.8a2
3.3.8a4
3.3.8a5
3.3.8a6
3.3.8a7
3.3.8a8
3.4.0a1
3.4.0a2
3.4.0a3
3.4.0a6
3.4.0
3.4.1a0
3.4.1a1
3.4.1a2
3.4.1a3
3.4.1
3.4.2a0
3.4.2
3.4.3
3.5.0rc1
3.5.0rc2
3.5.0rc3
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1rc1
3.6.1rc2
3.6.1rc3
3.6.1
3.7.0rc1
3.7.0rc2
3.7.0
3.7.1
3.7.2
3.7.3
3.8.0rc3
3.8.0
3.8.1
3.8.2rc1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7rc1
3.8.7
3.8.8rc1
3.8.8rc2
3.8.8rc3
3.8.8
3.9.0rc2
3.9.0rc4
3.9.0
3.10.0rc1
3.10.0
3.10.1
3.10.3
3.10.4
3.11.0rc1
3.11.0rc2
3.11.0rc3
3.11.0
3.11.1
4.*
4.0.0a2
4.0.0a3
4.0.0a4
4.0.0a5
4.0.0a6
4.0.0a7
4.0.0a8
4.0.0a9
4.0.0a10
4.0.0
4.0.1rc2
4.0.1
4.0.2
4.0.3
4.1.0b0
4.1.0b1
4.1.0rc0
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0rc1
4.2.0rc2
4.2.0
4.2.1
4.2.2
4.2.3
4.3.0b3
4.3.0b4
4.3.0b5
4.3.0b6
4.3.0rc1
4.3.0rc2
4.3.0
4.3.1
4.3.2rc2
4.3.2
4.3.4rc3
4.3.4
4.4.0rc3
4.4.0
4.4.1
4.5.0rc3
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.6.0rc3
4.6.0rc4
4.6.0rc5
4.6.0rc6
4.6.0rc7
4.6.0
4.6.1
4.7.0rc1
4.7.0rc2
4.7.0
4.7.1rc1
4.7.1
4.8.0rc1
4.8.0rc2
4.8.0rc3
4.8.0
4.8.1
4.8.2
4.9.0rc1
4.9.0
4.9.1
4.10.0rc1
4.10.0rc2
4.10.0rc3
4.10.0rc4
4.10.0
4.10.1rc1
4.10.1
4.10.2
4.11.0rc2
4.11.0rc3
4.11.0rc4
4.11.0
4.12.0rc2
4.12.0
4.12.1
4.12.2rc1
4.12.2
4.12.3rc1
4.13.0rc2
4.13.0rc3
4.13.0rc4
4.13.0
4.13.1
4.13.2rc1
4.13.2
4.13.3rc1
4.13.3rc2
4.13.3
4.13.4rc1
4.13.4
4.13.5
4.13.6rc3
4.13.6
4.13.7rc1
4.13.7
4.14.0rc1
4.14.0
4.15.0rc1
4.15.0rc2
4.15.0rc3
4.15.0rc4
4.15.0rc5
4.15.0
4.15.1rc1
4.15.1
5.*
5.0.0a0
5.0.0a7
5.0.0a9
5.0.0a14
5.0.0a15
5.0.0a16
5.0.0a17
5.0.0a18
5.0.0a19
5.0.0a20
5.0.0a21
5.0.0a22
5.0.0a26
5.0.0a29
5.0.0a33
5.0.0a34
5.0.0a35
5.0.0a36
5.0.0a37
5.0.0a38
5.0.0a40
5.0.0a41
5.0.0a42
5.0.0a43
5.0.0a44
5.0.0a47
5.0.0b1
5.0.0b2
5.0.0b4
5.0.0rc1
5.0.0rc2
5.0.0rc4
5.0.0rc5
5.0.0rc6
5.0.0rc7
5.0.0rc8
5.0.0rc9
5.0.0rc10
5.0.0rc91

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/vantage6/PYSEC-2026-3398.yaml"