EUVD-2026-3787

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

Spring Security security vulnerabilities

Spring Security is a security framework developed by Spring, an open-source project, that includes authentication and authorization features. Spring Security has security vulnerabilities; these vulnerabilities stem from the timing attack mitigation measures in the DaoAuthenticationProvider being...

CVE-2026-23996 FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection

FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verifykey. The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys b...

CVE-2026-23996

CVE-2026-23996 concerns the FastAPI Api Key library. Version 1.1.0 is reported to expose a timing side-channel in verify_key(), where a random delay is applied only on verification failures. This enables an attacker to statistically distinguish valid from invalid API keys by measuring response la...

GHSA-95C6-P277-P87G FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection

Impact Timing side-channel vulnerability in verifykey. The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a...

Timing Attack

Overview fastapi-api-key is a fastapi-api-key provides secure, production-ready API key management for FastAPI. It offers pluggable hashing strategies Argon2 or bcrypt, backend-agnostic persistence currently SQLAlchemy, and an optional cache layer aiocache. Includes a Typer CLI and a FastAPI rout...

FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection

Impact Timing side-channel vulnerability in verifykey. The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a...

GHSA-43MM-M3H2-3PRC File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login

Summary The JSONAuth.Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. Details The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username ...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack via the JSONAuth.Auth function. An unauthenticated attacker can determine valid usernames by measuring the response time of the /api/login endpoint, exploiting the timing discrepancy between valid and invalid username...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack via the JSONAuth.Auth function. An unauthenticated attacker can determine valid usernames by measuring the response time of the /api/login endpoint, exploiting the timing discrepancy between valid and invalid username...

File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login

Summary The JSONAuth.Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. Details The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username ...

PT-2026-3874

Name of the Vulnerable Software and Affected Versions FastAPI Api Key versions prior to 1.1.0 Description The verify key function in FastAPI Api Key contains a timing side-channel that allows an attacker to differentiate between valid and invalid API keys by measuring response latencies. The meth...

CVE-2026-23849

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuri...

MiracleLinux 8 : nss-3.90.0-4.el8_9 (AXSA:2024-7398:02)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2024-7398:02 advisory. nss: timing attack against RSA decryption CVE-2023-5388 Tenable has extracted the preceding description block directly from the MiracleLinux security advisor...

MiracleLinux 8 : nodejs:20 (AXSA:2024-7668:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7668:01 advisory. nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS1 v1.5 padding Marvin CVE-2023-46809 nodejs: reading unprocessed HTTP...

MiracleLinux 8 : openssl-1.1.1k-9.el8 (AXSA:2023-5236:03)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-5236:03 advisory. openssl: X.400 address type confusion in X.509 GeneralName CVE-2023-0286 openssl: timing attack in RSA Decryption implementation CVE-2022-4304...

MiracleLinux 9 : nss-3.90.0-4.el9_3 (AXSA:2024-7386:01)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2024-7386:01 advisory. nss: timing attack against RSA decryption CVE-2023-5388 Tenable has extracted the preceding description block directly from the MiracleLinux security advisor...

MiracleLinux 8 : libgcrypt-1.8.5-4.el8 (AXSA:2020-1018:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2020-1018:01 advisory. libgcrypt: ECDSA timing attack allowing private key leak CVE-2019-13627 Tenable has extracted the preceding description block directly from the MiracleLinux...

MiracleLinux 8 : container-tools:4.0 (AXSA:2024-7516:02)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7516:02 advisory. runc: file descriptor leak Leaky Vessels CVE-2024-21626 A Asianux Security Bulletin which addresses further details about the Leaky Vessels flaw is...