CVE-2026-33640: Otp Verify Without Attempt Limit
A verification-code verify-style function retrieves a stored OTP and immediately returns a constant-time equality comparison without incrementing an attempt counter or invalidating the code on repeated failures. With small code keyspaces (e.g. 6-digit OTPs) and a multi-minute TTL, this allows brute-force account takeover when the external rate limiter is abs
greprules fetch cve-2026-33640-otp-verify-without-attempt-limit --engine opengrepDescription
A verification-code verify-style function retrieves a stored OTP and immediately returns a constant-time equality comparison without incrementing an attempt counter or invalidating the code on repeated failures. With small code keyspaces (e.g. 6-digit OTPs) and a multi-minute TTL, this allows brute-force account takeover when the external rate limiter is abs
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.