Description
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this attack actually working is highly dependent on the network's latency, noise and similar parameters. An actual proof of concept was not achieved so far. Still, as always administrators are advised to not expose their OctoPrint instance on hostile networks, especially not on the public Internet.
Published: 2026-01-27
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: API Key Disclosure
Action: Patch
AI Analysis

Impact

OctoPrint employs a character‑by‑character comparison for API key validation that short‑circuits on the first mismatch. This allows an attacker who can measure response times on denied requests to infer each character of the key, effectively extracting the key over the network. Although no public proof of concept exists, the vulnerability can be exploited if network latency and noise conditions are favorable, exposing credentials that grant unrestricted control over attached printers.

Affected Systems

All OctoPrint releases up to and including version 1.11.5 are affected. The issue was fixed in OctoPrint 1.11.6 and later. Administrators should verify that their deployment uses a patched version.

Risk and Exploitability

The CVSS score of 6 indicates moderate impact, while the EPSS score of less than 1 % reflects a very low estimated exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. An attacker requires network access to the OctoPrint instance, typically over a local network or public‑internet exposure, to perform the timing analysis. With sufficient network isolation and low latency, the attack becomes impractical, but the risk is higher for publicly exposed deployments.

Generated by OpenCVE AI on April 18, 2026 at 01:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OctoPrint to version 1.11.6 or newer to eliminate the timing side‑channel.
  • Restrict external network access by placing the OctoPrint server behind a firewall or VPN and blocking unsolicited inbound traffic.
  • Enforce strict access controls: rotate or disable unused API keys, use strong authentication, and consider moving to multi‑factor authentication to reduce reliance on API key exposure.

Generated by OpenCVE AI on April 18, 2026 at 01:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xg4x-w2j3-57h6 OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication
History

Mon, 02 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Octoprint
Octoprint octoprint
Vendors & Products Octoprint
Octoprint octoprint

Tue, 27 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this attack actually working is highly dependent on the network's latency, noise and similar parameters. An actual proof of concept was not achieved so far. Still, as always administrators are advised to not expose their OctoPrint instance on hostile networks, especially not on the public Internet.
Title OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication
Weaknesses CWE-208
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Octoprint Octoprint
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T19:14:50.643Z

Reserved: 2026-01-16T21:02:02.902Z

Link: CVE-2026-23892

cve-icon Vulnrichment

Updated: 2026-01-27T19:14:34.560Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T19:16:16.027

Modified: 2026-02-02T14:39:36.583

Link: CVE-2026-23892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses