CVE-2026-41418
Received
Received - Intake
BaseFortify
Publication date: 2026-04-24
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). When an invalid username/email is provided, the server responds immediately (~17ms average). When a valid username/email is provided with an incorrect password, the server first performs a bcrypt.compareSync() operation (~74ms average) before responding. This ~4.4Γ timing difference is trivially detectable even over a network β a single request suffices. This vulnerability is fixed in 3.3.5.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70