CVE-2026-48505: filament MFA race condition enables

Q: Is CVE-2026-48505 actively exploited?

No confirmed active exploitation of CVE-2026-48505 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-48505?

1. Patch immediately: upgrade Filament to >=4.11.5 (v4 branch) or >=5.6.5 (v5 branch) — both patches are available now via Composer. 2. Immediate workaround if patching is blocked: disable recovery codes in Filament panel config (set `->mfa()->recoveryCodesEnabled(false)`) and require primary TOTP authenticators only. 3. Detection: audit authentication logs for multiple successful logins using the same recovery code within milliseconds — any such pattern is a near-certain indicator of exploitation. 4. Post-patch hygiene: regenerate all existing recovery codes for privileged admin accounts. 5. Defense-in-depth: apply rate limiting and concurrency controls on MFA verification endpoints at WAF or application middleware layer to reduce the window for future race conditions.

CISO Take

Filament's app-based MFA implementation (versions 4.x < 4.11.5 and 5.x < 5.6.5) contains a race condition that lets an attacker submit the same recovery code in parallel, creating multiple authenticated admin sessions instead of consuming the code once as designed. The attack requires the adversary to already hold both the user's password and their recovery codes — a high bar reflected in the CVSS 7.4 AC:H rating — but in targeted credential-theft scenarios against AI admin panels built on Laravel/Filament, this vulnerability materially extends the attacker's persistence window beyond what the single-use guarantee implies. No public exploit exists and the CVE is not in CISA KEV, but the patch is available now. Upgrade to 4.11.5 or 5.6.5 immediately; if patching is blocked, disable recovery codes in the panel configuration and enforce primary TOTP-only authentication.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

MEDIUM-HIGH. The critical prerequisite — attacker must already possess both the password and recovery codes — limits opportunistic exploitation and keeps this out of urgent-patch territory for most. However, organizations running Laravel/Filament as the admin layer for AI platforms expose high-value targets: model deployment controls, API key management, and training data access. In those environments, targeted credential-theft campaigns (spear-phishing, credential database leaks) are plausible attack vectors that would enable this exploit. The race condition itself is technically trivial to script once credentials are in hand. Patch risk is low; residual risk post-patch is negligible.

How does the attack unfold?

Credential Acquisition

Attacker obtains the target admin's password and MFA recovery codes through spear-phishing, a credential database leak, or physical access to recovery code backups.

AML.T0012

Race Condition Exploitation

Attacker scripts dozens of simultaneous POST requests to the Filament MFA verification endpoint using the same recovery code before the server-side validation can mark it as consumed.

AML.T0049

Session Multiplication

Race condition allows all concurrent requests to succeed, yielding multiple valid admin sessions from a single recovery code and extending the attacker's access window proportionally.

AML.T0091

AI Infrastructure Compromise

Attacker leverages multiplied sessions across distributed exit nodes to access model configurations, API keys, training datasets, and deployment controls in the AI admin panel while evading detection.

Credential Acquisition

Attacker obtains the target admin's password and MFA recovery codes through spear-phishing, a credential database leak, or physical access to recovery code backups.

AML.T0012

Race Condition Exploitation

Attacker scripts dozens of simultaneous POST requests to the Filament MFA verification endpoint using the same recovery code before the server-side validation can mark it as consumed.

AML.T0049

Session Multiplication

Race condition allows all concurrent requests to succeed, yielding multiple valid admin sessions from a single recovery code and extending the attacker's access window proportionally.

AML.T0091

AI Infrastructure Compromise

Attacker leverages multiplied sessions across distributed exit nodes to access model configurations, API keys, training datasets, and deployment controls in the AI admin panel while evading detection.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
filament	—	—	No patch

Do you use filament? You're affected.

How severe is it?

CVSS 3.1

7.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C High

I High

A None

What should I do?

5 steps

Patch immediately: upgrade Filament to >=4.11.5 (v4 branch) or >=5.6.5 (v5 branch) — both patches are available now via Composer.
Immediate workaround if patching is blocked: disable recovery codes in Filament panel config (set ->mfa()->recoveryCodesEnabled(false)) and require primary TOTP authenticators only.
Detection: audit authentication logs for multiple successful logins using the same recovery code within milliseconds — any such pattern is a near-certain indicator of exploitation.
Post-patch hygiene: regenerate all existing recovery codes for privileged admin accounts.
Defense-in-depth: apply rate limiting and concurrency controls on MFA verification endpoints at WAF or application middleware layer to reduce the window for future race conditions.

How is it classified?

Auth Bypass Privacy Violation Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0091 - Use Alternate Authentication Material

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9(2)(a) - Risk management for high-risk AI systems

ISO 42001

A.9.4 - Access control for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to maintain AI system integrity

Frequently Asked Questions

What is CVE-2026-48505?

Filament's app-based MFA implementation (versions 4.x < 4.11.5 and 5.x < 5.6.5) contains a race condition that lets an attacker submit the same recovery code in parallel, creating multiple authenticated admin sessions instead of consuming the code once as designed. The attack requires the adversary to already hold both the user's password and their recovery codes — a high bar reflected in the CVSS 7.4 AC:H rating — but in targeted credential-theft scenarios against AI admin panels built on Laravel/Filament, this vulnerability materially extends the attacker's persistence window beyond what the single-use guarantee implies. No public exploit exists and the CVE is not in CISA KEV, but the patch is available now. Upgrade to 4.11.5 or 5.6.5 immediately; if patching is blocked, disable recovery codes in the panel configuration and enforce primary TOTP-only authentication.

Is CVE-2026-48505 actively exploited?

No confirmed active exploitation of CVE-2026-48505 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-48505?

1. Patch immediately: upgrade Filament to >=4.11.5 (v4 branch) or >=5.6.5 (v5 branch) — both patches are available now via Composer. 2. Immediate workaround if patching is blocked: disable recovery codes in Filament panel config (set `->mfa()->recoveryCodesEnabled(false)`) and require primary TOTP authenticators only. 3. Detection: audit authentication logs for multiple successful logins using the same recovery code within milliseconds — any such pattern is a near-certain indicator of exploitation. 4. Post-patch hygiene: regenerate all existing recovery codes for privileged admin accounts. 5. Defense-in-depth: apply rate limiting and concurrency controls on MFA verification endpoints at WAF or application middleware layer to reduce the window for future race conditions.

What systems are affected by CVE-2026-48505?

This vulnerability affects the following AI/ML architecture patterns: Laravel-based AI admin interfaces, MLOps control planes with Filament admin panels, AI SaaS platforms using Laravel as backend, Dataset management portals with MFA-protected admin access.

What is the CVSS score for CVE-2026-48505?

CVE-2026-48505 has a CVSS v3.1 base score of 7.4 (HIGH).

What is the AI security impact?

Affected AI Architectures

Laravel-based AI admin interfacesMLOps control planes with Filament admin panelsAI SaaS platforms using Laravel as backendDataset management portals with MFA-protected admin access

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0091 Use Alternate Authentication Material

Compliance Controls Affected

EU AI Act: Article 9(2)(a)

ISO 42001: A.9.4

NIST AI RMF: MANAGE 2.2

What are the technical details?

Original Advisory

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.

Exploitation Scenario

An attacker who obtained a platform admin's credentials and recovery code backup through a spear-phishing campaign targets a Laravel-based AI platform admin panel built with Filament. Using a simple script, the attacker fires 20 simultaneous POST requests to the MFA verification endpoint using the same recovery code before Filament's validation logic can mark it as consumed. Due to the race condition, all 20 requests succeed — yielding 20 authenticated admin sessions distributed across different exit nodes. The attacker uses these sessions to enumerate API keys, download model training configurations, and modify deployment parameters, while the legitimate admin sees only one recovery code consumed in their account settings and is unaware of the scope of the breach. Even if the legitimate user regenerates recovery codes, the attacker retains their multiplied active sessions until they are explicitly invalidated.

Weaknesses (CWE)

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Primary CWE-841 Improper Enforcement of Behavioral Workflow Primary CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-841 Improper Enforcement of Behavioral Workflow

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'): The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

[Architecture and Design] In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
[Architecture and Design] Use thread-safe capabilities such as the data access abstraction in Spring.

Source: MITRE CWE corpus.