CVE-2026-48154

MEDIUMPre-NVD 5.95.9
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.9 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 83% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
5.9
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 5.9Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362)

Vulnerability: CWE-362 — Concurrent Map Access Race Condition in InMemorySecret2FA

CWE: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization)

Affected Component

  • github.com/pilinux/gorest — Go REST API boilerplate
  • InMemorySecret2FA — in-memory 2FA secret store

Vulnerability Locations

| File | Line | Role | |------|------|------| | database/model/twoFA.go | 43 | Global map[uint64]Secret2FA — bare map, no sync.RWMutex | | handler/login.go | 139 | Map write during user login | | handler/twoFA.go | 205 | Map write during 2FA setup | | handler/twoFA.go | 272 | Map write during 2FA activation | | handler/twoFA.go | 575 | Map write during 2FA verification | | handler/twoFA.go | 189 | Map read during 2FA operations | | handler/twoFA.go | 245 | Map read during 2FA operations | | handler/twoFA.go | 491 | Map read during 2FA operations | | service/common.go | 79 | Map delete |

Data Flow

Multiple HTTP goroutines (concurrent requests)
    │
    ├── handler/login.go:139 ─► map write ──┐
    ├── handler/twoFA.go:205 ─► map write ──┼── InMemorySecret2FA (bare map)
    ├── handler/twoFA.go:189 ─► map read ───┤      ▲  NO sync.RWMutex
    ├── handler/twoFA.go:245 ─► map read ───┤      │
    ├── handler/twoFA.go:491 ─► map read ───┤      │
    └── service/common.go:79 ─► map delete ─┘      │
                                                   │
            Go runtime detects concurrent map      │
            read+write or write+write              │
                │                                  │
                ▼                                  │
    fatal error: concurrent map read and map write │
    fatal error: concurrent map writes             │
                │                                  │
                ▼                                  │
         Process crash (DoS) ──────────────────────┘

Description

The InMemorySecret2FA in database/model/twoFA.go was defined as a package-level map[uint64]Secret2FA — a bare Go map with no synchronization primitive. Multiple HTTP handlers in handler/login.go and handler/twoFA.go read from and wrote to this map concurrently. Go's runtime detects unsynchronized concurrent map access and throws an unrecoverable fatal error, which crashes the entire process.

This is a CWE-362 race condition: the shared resource (the map) is accessed concurrently without proper synchronization, and the failure mode is a hard process crash (denial of service).

Trigger Conditions

  • Two users with 2FA enabled logging in simultaneously — concurrent map writes
  • One user logging in (map write) while another performs 2FA verification (map read)
  • Any concurrent combination of the 9 affected handler locations

Proof of Concept

# Simulate two concurrent logins with 2FA enabled
for i in 1 2; do
    curl -X POST http://target:8080/api/v1/login         -H "Content-Type: application/json"         -d "{"email":"user${i}@example.com","password":"testpass"}" &
done
wait

Go runtime output:

fatal error: concurrent map writes

goroutine 34 [running]:

runtime.throw({0x...})

runtime/map.go:...

Impact

  • Availability (High): Hard process crash via Go runtime fatal error. No recovery possible — the process exits. An attacker can repeat the concurrent requests to crash the service on demand.
  • Confidentiality (None): The crash itself does not leak data.
  • Integrity (None): No data corruption (Go prevents it by crashing).

Fix (PR #391)

Introduced Secret2FAStore struct with sync.RWMutex protection:

// BEFORE: database/model/twoFA.go — bare map, no protection
var InMemorySecret2FA map[uint64]Secret2FA

// AFTER: Wrapped with sync.RWMutex type Secret2FAStore struct { mu sync.RWMutex data map[uint64]Secret2FA }

func (s *Secret2FAStore) Get(key uint64) (Secret2FA, bool) { s.mu.RLock() defer s.mu.RUnlock() v, ok := s.data[key] return cloneSecret2FA(v), ok }

func (s *Secret2FAStore) Set(key uint64, value Secret2FA) { s.mu.Lock() defer s.mu.Unlock() s.data[key] = cloneSecret2FA(value) }

func (s *Secret2FAStore) Delete(key uint64) { s.mu.Lock() defer s.mu.Unlock() delete(s.data, key) }

// cloneSecret2FA returns a deep copy of a Secret2FA. // This prevents external code from mutating the store's data // through shared slice backing arrays. func cloneSecret2FA(v Secret2FA) Secret2FA { out := Secret2FA{Image: v.Image} if v.PassHash != nil { out.PassHash = append([]byte(nil), v.PassHash...) } if v.KeySalt != nil { out.KeySalt = append([]byte(nil), v.KeySalt...) } if v.Secret != nil { out.Secret = append([]byte(nil), v.Secret...) } return out }

All 9 handler call sites updated from direct map access to store method calls.

Not Vulnerable (verified during audit)

  • JWT: RSA keys from files, appleboy/gin-jwt middleware — correct
  • Password hashing: Argon2 via pilinux/argon2 — correct
  • SQL queries: GORM parameterized — correct
  • CORS: validates wildcard+credentials combination at config load — correct

Patched Versions

All versions after PR #391 merge.

Resources

  • Fix PR: https://github.com/pilinux/gorest/pull/391

Credit

Reported by @saaa99999999 via manual security audit.

CVSS v3
5.9
EG Score
5.9(low)
EPSS
16.5%
KEV
Not listed

Published

June 12, 2026

Last Modified

June 12, 2026

Vendor Advisories for CVE-2026-48154(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/pilinux/gorest1.12.2

Data Freshness Timeline

(refreshed 6× in last 7d / 27× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 01:02 UTCEG score recompute
  2. 2026-07-05 10:44 UTCEG score recompute
  3. 2026-07-04 10:53 UTCEG score recompute
  4. 2026-07-03 07:33 UTCEG score recompute
  5. 2026-07-02 06:58 UTCEG score recompute
  6. 2026-07-01 07:51 UTCEG score recompute
  7. 2026-06-30 08:44 UTCEG score recompute
  8. 2026-06-29 09:33 UTCEG score recompute
  9. 2026-06-28 10:26 UTCEG score recompute
  10. 2026-06-27 11:10 UTCEG score recompute
  11. 2026-06-26 12:04 UTCEG score recompute
  12. 2026-06-25 08:11 UTCEG score recompute
  13. 2026-06-24 09:05 UTCEG score recompute
  14. 2026-06-23 09:58 UTCEG score recompute
  15. 2026-06-22 10:44 UTCEG score recompute
  16. 2026-06-21 11:15 UTCEG score recompute
  17. 2026-06-20 12:06 UTCEG score recompute
  18. 2026-06-19 13:00 UTCEG score recompute
  19. 2026-06-18 13:51 UTCEG score recompute
  20. 2026-06-17 14:43 UTCEG score recompute
  21. 2026-06-16 15:36 UTCEG score recompute
  22. 2026-06-15 16:30 UTCEG score recompute
  23. 2026-06-14 23:18 UTCEPSS rescore
  24. 2026-06-14 17:24 UTCEG score recompute
  25. 2026-06-13 23:00 UTCEPSS rescore
Show 2 more
  1. 2026-06-13 18:19 UTCEG score recompute
  2. 2026-06-12 19:11 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-48154?
CVE-2026-48154 is a medium vulnerability published on June 12, 2026. gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362) Vulnerability: CWE-362 — Concurrent Map Access Race Condition in InMemorySecret2FA CWE: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) Affected Component…
When was CVE-2026-48154 disclosed?
CVE-2026-48154 was first published in the National Vulnerability Database on June 12, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-48154 actively exploited?
CVE-2026-48154 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 16.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-48154?
CVE-2026-48154 has a CVSS v4.0 base score of 5.9 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-48154?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48154, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48154

Explore →

Is Your Infrastructure Affected by CVE-2026-48154?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.