CVE-2026-32702
Awaiting Analysis Awaiting Analysis - Queue
Timing Attack in Cleanuparr /api/auth/login Enables Username Enumeration

Publication date: 2026-03-16

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32702
EUVD
EUVD-2026-12144
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cleanuparr_project cleanuparr From 2.7.0 (inc) to 2.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32702 is a timing attack vulnerability in the Cleanuparr application versions 2.7.0 to 2.8.0. It exists in the /api/auth/login endpoint due to a logic flaw in the authentication process that causes inconsistent response times depending on whether a username is valid or not.

Specifically, the password verification step uses the computationally expensive BCrypt hashing function and is only executed if the username exists and is not locked out. This creates a timing difference because invalid usernames return responses quickly, while valid usernames take longer due to the hashing step.

Attackers can measure these timing differences remotely to enumerate valid usernames without authentication, exploiting the timing side channel. The vulnerability is fixed in version 2.8.1.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to discover valid usernames by measuring response times during login attempts.

  • Attackers can use the enumerated usernames to launch targeted brute-force or credential stuffing attacks.
  • It facilitates social engineering attacks by confirming valid user identities.
  • Overall, it weakens the security posture of the application by exposing sensitive authentication information.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by measuring the response times of the /api/auth/login endpoint to distinguish valid usernames from invalid ones based on timing differences.

Specifically, valid usernames cause the application to perform a BCrypt password hash verification, resulting in longer response times (~350-500ms), while invalid usernames return responses much faster (~30-60ms).

Attackers can exploit these timing differences using tools such as the TickTock Enum Burp Suite extension to remotely enumerate valid usernames without authentication.

To detect this on your network or system, you can use timing analysis tools or scripts that repeatedly send login requests with different usernames and measure the response times to identify discrepancies.

Example commands or approaches include using curl in a loop with timestamps or specialized Burp Suite extensions like TickTock Enum to automate timing measurements.

Mitigation Strategies

The immediate mitigation step is to upgrade the Cleanuparr application to version 2.8.1 or later, where this timing attack vulnerability has been fixed.

The fix involves ensuring consistent response times for authentication requests regardless of username validity, preventing attackers from distinguishing valid usernames via timing differences.

Until the upgrade can be applied, consider implementing network-level protections such as rate limiting, IP blocking, or web application firewalls to reduce the risk of automated timing attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32702. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart