CVE-2026-23892

Name of the Vulnerable Software and Affected Versions OctoPrint versions up to and including 1.11.5

Description OctoPrint, a web interface for controlling 3D printers, is affected by a timing attack that could allow an attacker with network access to extract API keys. The issue stems from the use of character-based comparison during API key validation, which short-circuits on the first mismatched character. This results in a non-constant runtime, potentially revealing information about the key through response time measurements. The likelihood of successful exploitation is dependent on network conditions such as latency and noise. A proof of concept has not been achieved, but the potential for API key extraction exists. The API key validation process is vulnerable to timing attacks. The denied access responses are used to guess API key characters.

Recommendations Versions prior to 1.11.6 should be updated to version 1.11.6 or later.