Email Flooding Vulnerability in Vantage6 Open Source Infrastructure
CVE-2024-24769

2.1LOW

Key Information:

Vendor

Vantage6

Status
Vantage6
Vendor
CVE Published:
17 June 2026

What is CVE-2024-24769?

The vulnerability in Vantage6 allows users to reset their MFA token via API routes that send confirmation emails. However, prior to version 5.0.0, there is no limit to the number of reset emails that can be sent, which could allow attackers to overwhelm a user's mailbox. This behavior can adversely affect SMTP servers, potentially causing them to be flagged as spam due to excessive email traffic. Although resetting the MFA token requires the correct user password, the risk of mail flooding remains a concern for both users and service providers.

Affected Version(s)

vantage6 < 5.0.0

References

https://github.com/vantage6/vantage6/security/advisories/...
x_refsource_CONFIRM
https://github.com/vantage6/vantage6/issues/1932
x_refsource_MISC
https://github.com/vantage6/vantage6/blob/main/docs/relea...
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.