CVE-2026-28510 Overview
CVE-2026-28510 is a multi-factor authentication (MFA) bypass vulnerability in eLabFTW, an open source electronic lab notebook. The flaw exists in the login flow of versions through 5.4.1, where the application failed to reliably preserve MFA state across authentication steps. An attacker holding valid primary credentials could complete authentication using an attacker-controlled Time-based One-Time Password (TOTP) secret, defeating the additional factor. The vulnerability is categorized under [CWE-302: Authentication Bypass by Assumed-Immutable Data]. The issue is fixed in version 5.4.2.
Critical Impact
Attackers with valid primary credentials can bypass TOTP-based MFA by supplying their own MFA secret, leading to unauthorized account access.
Affected Products
- eLabFTW versions through 5.4.1
- Fixed in eLabFTW version 5.4.2
Discovery Timeline
- 2026-05-05 - CVE-2026-28510 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-28510
Vulnerability Analysis
The vulnerability resides in the login controller logic that handles the MFA authentication step. eLabFTW uses a two-step authentication flow: primary credential validation followed by TOTP verification. During the second step, the application retrieved the MFA secret used for verification from the user session, but fell back to a value supplied in the HTTP request when the session value was absent.
This fallback allowed a client to inject an mfa_secret parameter that the server then trusted as authoritative. An attacker who possessed valid primary credentials could submit a request containing both an attacker-generated TOTP secret and a corresponding valid TOTP code, bypassing the genuine second factor entirely.
Root Cause
The root cause is improper trust placed in client-supplied data during a security-critical state transition. The MFA secret should be bound to the authenticating user and retrieved exclusively from server-side state. By accepting a request-supplied secret as a fallback, the server made an assumed-immutable security parameter mutable by the client.
Attack Vector
Exploitation requires an attacker to already possess valid primary credentials, which limits the practical attack surface to credential theft, phishing, or insider scenarios. With those credentials, the attacker initiates the login flow and submits an mfa_secret value of their choosing along with a matching mfa_code derived from that secret. The vulnerable code path uses the supplied secret for verification, completes authentication, and issues a session.
// MFA AUTH
case AuthType::Mfa:
return new Mfa(
- new MfaHelper($this->Session->get('mfa_secret') ?? $this->Request->request->get('mfa_secret')),
+ new MfaHelper($this->Session->get('mfa_secret')),
$this->Session->get('auth_userid'),
$this->Request->request->getAlnum('mfa_code'),
);
The patch removes the request-based fallback, ensuring the MFA secret is sourced only from the server-side session. Source: eLabFTW commit 8b7a575.
Detection Methods for CVE-2026-28510
Indicators of Compromise
- Successful login events for accounts where MFA is enrolled but no corresponding session-based MFA challenge was issued.
- HTTP POST requests to the eLabFTW login endpoint containing an mfa_secret parameter from a client.
- Authentication events originating from unusual IP addresses or user agents shortly after credential exposure incidents.
Detection Strategies
- Inspect web server and application access logs for POST requests carrying an mfa_secret form field, which is not part of legitimate client behavior.
- Correlate primary login success events with the absence of a preceding MFA secret being written to the session store.
- Alert on anomalies in login geolocation, device fingerprint, or session creation rate for MFA-protected accounts.
Monitoring Recommendations
- Forward eLabFTW application logs and reverse proxy logs to a central SIEM for retention and correlation.
- Monitor administrative and high-privilege accounts in particular for unexpected successful authentications.
- Track the eLabFTW version string in deployment inventories to identify hosts still running 5.4.1 or earlier.
How to Mitigate CVE-2026-28510
Immediate Actions Required
- Upgrade eLabFTW to version 5.4.2 or later, which removes the request-based MFA secret fallback.
- Force re-authentication for all active sessions after upgrading to invalidate any sessions established via the bypass.
- Rotate credentials for accounts suspected of having been used during the exposure window, especially administrators.
Patch Information
The fix is committed in eLabFTW commit 8b7a575 and shipped in release 5.4.2. Refer to the GitHub Security Advisory GHSA-x5wv-c9q4-fj65 for vendor guidance.
Workarounds
- If immediate upgrade is not possible, restrict access to the eLabFTW login endpoint at the reverse proxy or WAF layer to drop requests containing an mfa_secret form parameter.
- Enforce strong, unique passwords and rotate any credentials known to be compromised, since exploitation requires valid primary credentials.
- Limit network exposure of the eLabFTW instance to trusted networks or behind a VPN until the upgrade is applied.
# Example NGINX rule to block requests carrying an mfa_secret form field
location = /login {
if ($request_method = POST) {
if ($request_body ~* "(^|&)mfa_secret=") {
return 403;
}
}
proxy_pass http://elabftw_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
