CVE-2026-25222
Unknown Unknown - Not Provided
Timing Attack in PolarLearn Sign-In Enables User Enumeration

Publication date: 2026-02-02

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25222
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
polarlearn polarlearn *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a timing attack in the sign-in process of PolarLearn (version 0-PRERELEASE-15 and earlier). An unauthenticated attacker can measure the response time of the login endpoint to determine if a specific email address is registered on the platform. This happens because the server only performs the computationally expensive Argon2 password hashing if the user exists, causing requests for existing users to take significantly longer (~650ms) than for non-existent users (~160ms).

Impact Analysis

This vulnerability can allow attackers to enumerate valid email addresses registered on the PolarLearn platform without authentication. This could lead to targeted phishing attacks, privacy breaches, or further attempts to compromise user accounts.

Detection Guidance

This vulnerability can be detected by measuring the response times of the login endpoint for different email addresses. Specifically, by sending login requests with various email addresses and observing the response times, you can distinguish between valid and invalid users. Valid users cause the server to perform Argon2 password hashing, resulting in longer response times (~650ms), while invalid users result in shorter response times (~160ms). Commands to detect this could involve using tools like curl or wget in a script to send login requests and measure response times, for example using curl with the --write-out option to capture timing information.

Mitigation Strategies

Immediate mitigation steps include implementing constant-time responses for the login endpoint regardless of whether the user exists or not, to prevent timing differences that reveal user existence. Another approach is to add artificial delays to responses for invalid users to match the response time of valid users. Additionally, monitoring and rate limiting login attempts can help reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart