Pingvin Share X Authentication Bypass Vulnerability Allowing TOTP Skipping

A critical authentication bypass vulnerability has been identified in Pingvin Share X versions 1.14.1 prior to 1.16.2. This vulnerability allows an attacker with a valid username and password to completely bypass the second-factor authentication requirement (TOTP). While the attacker must still possess the user's password to exploit this vulnerability, successfully doing so grants full access to the user's account, including the ability to manage shares, view sensitive files, and modify account settings. Given that Pingvin Share X supports unlimited file sizes and various storage providers like S3, the risk of data exposure is considerable.

Impact

Exploitation of this vulnerability allows for a complete authentication bypass, enabling attackers with compromised credentials to gain full access to the affected user's account. This includes the ability to manage shares, access sensitive files, and alter account settings. The vulnerability's impact is heightened by the application's support for unlimited file sizes and integration with various storage providers, such as S3, increasing the potential for significant data exposure.

Remediation

Users are advised to update to Pingvin Share X version 1.16.3, where this vulnerability has been patched. For those using Watchtower, the update should occur automatically once the new image is pulled. If an immediate upgrade is not possible, consider disabling password-based logins and requiring authentication through OIDC or LDAP providers that manage their own two-factor authentication. Alternatively, restrict network access to the login portal via a VPN or IP allowlist until the patch can be applied.