CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54685

mediumCVSS 5.3covered by 1 sourcefirst seen 2026-03-24
Summary The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable delay in the response time. Details The vulnerability exists in the Auth function of JSONAuth in auth/json.go (lines 45–52). The function performs a database lookup for the user prior to performing any password validation. user, err := userStore.Get(username) if err != nil { return nil, fmt.Errorf("unable to get user from store: %v", err) } err = users.CheckPwd(password, user.Password) if err != nil { return nil, err } If the username is not found, the function returns an error immediately. If the username is found, the function calls CheckPwd, which executes the bcrypt hash comparison. Because bcrypt is intentionally computationally expensive, this introduces a measurable delay in the response time. As a result, an attacker can distinguish valid usernames from invalid ones by measuring the authentication response times. In testing, responses for valid usernames consistently required approximately 40–50 ms due to the bcrypt comparison, while invalid usernames returned in approximately 1–4 ms. PoC The script below automates this attack by calibrating the network latency using non-existent usernames to establish a baseline and then testing a list of target users. Valid usernames are detected when the response time exceeds the baseline. import requests import time import statistics Configuration - adjust domain and wordlist as appropriate TARGET_URL = "http://localhost/api/auth/login" WORDLIST = ["admin", "root", "user2", "nonexistent_test_user"] def measure(username): start = time.perf_counter() requests.post(TARGET_URL, params={"username": username}, headers={"X-Password": "wrong-password"}) return time.perf_counter() - start 1. Baseline Calibration print("[*] Calibr

⚡ Watch CVE-2026-54685

Get an email if CVE-2026-54685 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-54685

CVE.org record

Embed the live status

CVE-2026-54685 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54685 status](https://www.csirts.com/badge/CVE-2026-54685)](https://www.csirts.com/cve/CVE-2026-54685)