CVE-2026-25222
Unknown Unknown - Not Provided

Timing Attack in PolarLearn Sign-In Enables User Enumeration

Vulnerability report for CVE-2026-25222, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-02

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-02
Last Modified
2026-02-20
Generated
2026-07-06
AI Q&A
2026-02-03
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
polarlearn polarlearn *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a timing attack in the sign-in process of PolarLearn (version 0-PRERELEASE-15 and earlier). An unauthenticated attacker can measure the response time of the login endpoint to determine if a specific email address is registered on the platform. This happens because the server only performs the computationally expensive Argon2 password hashing if the user exists, causing requests for existing users to take significantly longer (~650ms) than for non-existent users (~160ms).

Impact Analysis

This vulnerability can allow attackers to enumerate valid email addresses registered on the PolarLearn platform without authentication. This could lead to targeted phishing attacks, privacy breaches, or further attempts to compromise user accounts.

Detection Guidance

This vulnerability can be detected by measuring the response times of the login endpoint for different email addresses. Specifically, by sending login requests with various email addresses and observing the response times, you can distinguish between valid and invalid users. Valid users cause the server to perform Argon2 password hashing, resulting in longer response times (~650ms), while invalid users result in shorter response times (~160ms). Commands to detect this could involve using tools like curl or wget in a script to send login requests and measure response times, for example using curl with the --write-out option to capture timing information.

Mitigation Strategies

Immediate mitigation steps include implementing constant-time responses for the login endpoint regardless of whether the user exists or not, to prevent timing differences that reveal user existence. Another approach is to add artificial delays to responses for invalid users to match the response time of valid users. Additionally, monitoring and rate limiting login attempts can help reduce the risk of exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart