CVE-2026-44196
CriticalSummary
In Pingvin Share X versions 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker with a valid username and password to completely skip the two-factor authentication (TOTP) requirement. This vulnerability is fixed in version 1.16.3.
Risk Assessment
The organization is at risk of unauthorized access to user accounts, which could lead to data breaches or other serious security incidents.
Recommendation
It is recommended to upgrade to version 1.16.3 or later to eliminate this vulnerability and implement additional security measures to protect user accounts.
Original NVD description (English source)
Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication (TOTP) requirement entirely. Although, an attacker still needs the user's password to reach this stage. This vulnerability is fixed in 1.16.3.

