-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from two key issues: (1) incorrect calculation of available_aal when code (passwordless) + MFA credentials exist, and (2) session validation relying on this incorrect value. The first function is likely responsible for credential-based AAL computation, failing to treat 'code' as a valid first factor. The second function enforces AAL requirements but uses the flawed stored value rather than real-time credential evaluation. Both are necessary to create the vulnerability where the system misjudges the user's true AAL capabilities.
An attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect available_aal value stored, to exploit this vulnerability.
All other aspects of the session (e.g. the session’s aal) are not impacted by this issue.
On Ory Network, only 0,00066% of registered users were affected by this issue, and most of those users appeared to be test users. Their respective AAL values have since been updated and they are no longer vulnerable to this attack.
Version 1.3.0 is not affected by this issue.
If you require 2FA please disable the passwordless code login method. If that is not possible, check the sessions aal to identify if the user has aal1 or aal2.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/ory/kratos | go | <= 1.2.0 | 1.3.0 |
GoGoOngoing coverage of React2Shell