CVE-2026-32702
Timing Attack in Cleanuparr /api/auth/login Enables Username Enumeration
Publication date: 2026-03-16
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cleanuparr_project | cleanuparr | From 2.7.0 (inc) to 2.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32702 is a timing attack vulnerability in the Cleanuparr application versions 2.7.0 to 2.8.0. It exists in the /api/auth/login endpoint due to a logic flaw in the authentication process that causes inconsistent response times depending on whether a username is valid or not.
Specifically, the password verification step uses the computationally expensive BCrypt hashing function and is only executed if the username exists and is not locked out. This creates a timing difference because invalid usernames return responses quickly, while valid usernames take longer due to the hashing step.
Attackers can measure these timing differences remotely to enumerate valid usernames without authentication, exploiting the timing side channel. The vulnerability is fixed in version 2.8.1.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to discover valid usernames by measuring response times during login attempts.
- Attackers can use the enumerated usernames to launch targeted brute-force or credential stuffing attacks.
- It facilitates social engineering attacks by confirming valid user identities.
- Overall, it weakens the security posture of the application by exposing sensitive authentication information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by measuring the response times of the /api/auth/login endpoint to distinguish valid usernames from invalid ones based on timing differences.
Specifically, valid usernames cause the application to perform a BCrypt password hash verification, resulting in longer response times (~350-500ms), while invalid usernames return responses much faster (~30-60ms).
Attackers can exploit these timing differences using tools such as the TickTock Enum Burp Suite extension to remotely enumerate valid usernames without authentication.
To detect this on your network or system, you can use timing analysis tools or scripts that repeatedly send login requests with different usernames and measure the response times to identify discrepancies.
Example commands or approaches include using curl in a loop with timestamps or specialized Burp Suite extensions like TickTock Enum to automate timing measurements.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Cleanuparr application to version 2.8.1 or later, where this timing attack vulnerability has been fixed.
The fix involves ensuring consistent response times for authentication requests regardless of username validity, preventing attackers from distinguishing valid usernames via timing differences.
Until the upgrade can be applied, consider implementing network-level protections such as rate limiting, IP blocking, or web application firewalls to reduce the risk of automated timing attacks.