CVE-2026-25222

Name of the Vulnerable Software and Affected Versions PolarLearn versions 0-PRERELEASE-15 and earlier

Description A timing attack in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. The vulnerability occurs because the server performs Argon2 password hashing only if the user exists in the database. Requests for existing users take approximately 650ms, while requests for non-existent users take approximately 160ms. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. The vulnerable API endpoint is the login endpoint. The email address is the vulnerable parameter.

Recommendations Apply a fix to ensure consistent response times for both valid and invalid email addresses during the sign-in process.