What is GHSA-74r7-3mjm-jc5v?

GHSA-74r7-3mjm-jc5v is a security advisory published by GitHub Security Advisories with Medium severity. eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check

Why does GHSA-74r7-3mjm-jc5v have no CVE ID yet?

GitHub Security Advisories published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

What is the CVSS v3 score of GHSA-74r7-3mjm-jc5v?

GHSA-74r7-3mjm-jc5v has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

Which products are affected by GHSA-74r7-3mjm-jc5v?

GHSA-74r7-3mjm-jc5v affects 1 product, including: pip/edumfa:\u003c 2.9.1.

GHSA-74r7-3mjm-jc5vMediumCVSS 6.5Disclosed before NVD

eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

📋 Description

### Impact If the resolver parameter is passed, but the user does not exist, all failcounters of tokens in that resolver will be increased. ### Patches This, along with other issues, was fixed in eduMFA v2.9.1. ### Workarounds Limiting access to `/validate/check` to client applications (i.e. Shibboleth/FreeRADIUS) using an authorization policy with `api_key_required` or using e.g. the reverse proxy.

🎯 Affected products1

pip/edumfa:< 2.9.1

🔗 References (2)

https://github.com/eduMFA/eduMFA/security/advisories/GHSA-74r7-3mjm-jc5v
https://github.com/advisories/GHSA-74r7-3mjm-jc5v