Though perhaps an accidental find by Abhi Sharma it is a great one none-the-less. With a race-condition leading to the bypass of a MFA check.

The MFA check in question here was before generating a person access token, so an attacker would already have to be in a fairly privileged position to take advantage of it. The gist of the issue though is just that spamming POST requests at the /api/integrations/personal_access_tokens endpoint used to generate new tokens would occasionally have a request get through without needing to pass the MFA check.

Exactly how this works is hard to say, but this did feel like exactly the sort of issue James Kettle was thinking of in his recent research on Smashing the State Machine. As, to me, this feels like it is possibly some transitory state in the system as its updating between need and not needing the MFA token to be filled out that perhaps while partially done can be hit for this MFA bypass. Ultimately that is speculation on my side, but its a neat bug to see.