Komari vulnerable to 2FA Authentication Bypass
Summary
Logic error in 2FA verification condition allows bypass of two-factor authentication
Details
https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/login.go#L55
There is no way for Verify2Fa to return an error AND true as ok at the same time, any codes are considered as valid.
PoC
Use any 6 digits as 2FA code
Impact
Bypass 2FA Authentication
| Software | From | Fixed in |
|---|---|---|
github.com/komari-monitor/komari
|
- | 0.0.0-20250809064056-cc3d54bff4c6 |
- https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/login.go#L55
- https://github.com/komari-monitor/komari/commit/cc3d54bff4c6495beaa1c7483379cd04542c557f
- https://github.com/komari-monitor/komari/releases/tag/1.0.4-fix1
- https://github.com/komari-monitor/komari/security/advisories/GHSA-jhmr-57cj-q6g9
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime