CVE-2026-44196

smp46 · Pingvin Share X

Pingvin Share X contains an authentication bypass flaw that allows users who possess a valid password to skip the TOTP second-factor authentication requirement.

Executive summary

A critical authentication bypass vulnerability in Pingvin Share X allows an attacker with a valid password to circumvent secondary multi-factor authentication requirements.

Vulnerability

This is an improper authentication flaw caused by an incorrect comparison in the TOTP verification process. An attacker who has already obtained a legitimate user's password can bypass the second-factor authentication layer, effectively nullifying the security benefits of MFA.

Business impact

By bypassing MFA, an attacker with compromised credentials gains full access to the file-sharing platform, leading to unauthorized data access and potential data leakage. With a CVSS score of 9.1, this vulnerability significantly undermines the security posture of the platform by rendering multi-factor authentication ineffective.

Remediation

Immediate Action: Update the Pingvin Share X installation to version 1.16.3 or later.

Proactive Monitoring: Review authentication logs for suspicious logins, particularly those that occur without the expected MFA challenges.

Compensating Controls: If immediate patching is not feasible, restrict access to the application via a VPN or IP allow-listing to reduce the attack surface.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Securing the authentication flow is vital for maintaining the confidentiality of shared files. Administrators must upgrade to version 1.16.3 immediately to restore the integrity of the multi-factor authentication process.