{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "97209a0af36463f8b54d8925f76df771a7202290"
            },
            {
              "fixed": "4aad67bdd3bf772188b539a9eb59e9e409f750cc"
            }
          ],
          "repo": "https://github.com/elabftw/elabftw",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-pvxr-39g3-m28c"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-288",
      "CWE-303"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52586.json"
  },
  "details": "eLabFTW is an open source electronic lab notebook for research labs. A vulnerability has been found starting in version 4.6.0 and prior to version 5.1.0 that allows an attacker to bypass eLabFTW's built-in multifactor authentication mechanism. An attacker who can authenticate locally (by knowing or guessing the password of a user) can thus log in regardless of MFA requirements. This does not affect MFA that are performed by single sign-on services. Users are advised to upgrade to at least version 5.1.9 to receive a fix.",
  "id": "CVE-2024-52586",
  "modified": "2025-12-04T02:34:27.277726543Z",
  "published": "2024-12-09T18:38:42.856Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52586.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/elabftw/elabftw/security/advisories/GHSA-pvxr-39g3-m28c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52586"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "eLabFTW MFA bypass"
}