CVE-2026-44196
smp46 · Pingvin Share X
Pingvin Share X contains an authentication bypass flaw that allows users who possess a valid password to skip the TOTP second-factor authentication requirement.
Executive summary
A critical authentication bypass vulnerability in Pingvin Share X allows an attacker with a valid password to circumvent secondary multi-factor authentication requirements.
Vulnerability
This is an improper authentication flaw caused by an incorrect comparison in the TOTP verification process. An attacker who has already obtained a legitimate user's password can bypass the second-factor authentication layer, effectively nullifying the security benefits of MFA.
Business impact
By bypassing MFA, an attacker with compromised credentials gains full access to the file-sharing platform, leading to unauthorized data access and potential data leakage. With a CVSS score of 9.1, this vulnerability significantly undermines the security posture of the platform by rendering multi-factor authentication ineffective.
Remediation
Immediate Action: Update the Pingvin Share X installation to version 1.16.3 or later.
Proactive Monitoring: Review authentication logs for suspicious logins, particularly those that occur without the expected MFA challenges.
Compensating Controls: If immediate patching is not feasible, restrict access to the application via a VPN or IP allow-listing to reduce the attack surface.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Securing the authentication flow is vital for maintaining the confidentiality of shared files. Administrators must upgrade to version 1.16.3 immediately to restore the integrity of the multi-factor authentication process.