Description
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue.
Published: 2026-01-30
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: User Enumeration
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in Vendure’s NativeAuthenticationStrategy where the authenticate method exits immediately for unknown users, creating a measurable timing gap compared to existing accounts. This timing discrepancy, roughly 200-400 milliseconds for bcrypt password verification versus only 1-5 milliseconds for a database miss, can be leveraged by an attacker to reliably determine whether a specific email address corresponds to a valid account. The outcome is information disclosure in the form of enumerating valid user identities, potentially aiding further credential-based attacks.

Affected Systems

Vendure, the open‑source headless commerce platform maintained by vendurehq. Any deployment using a release prior to version 3.5.3 is affected. The fix was introduced in release 3.5.3 and later versions are not vulnerable.

Risk and Exploitability

The CVSS score of 2.7 indicates a low severity impact, and the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at present. The vulnerability is not listed in the CISA KEV catalog. Although the attack vector is remote—requiring only repeated authentication requests against the public API—an attacker can craft automated timing measurements to enumerate accounts. The weakness is a timing side‑channel and therefore requires no additional privileges or special conditions to exploit.

Generated by OpenCVE AI on April 18, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vendure to version 3.5.3 or later to eliminate the timing discrepancy
  • If an upgrade cannot be performed immediately, introduce a constant or randomized delay in the authentication response to mask timing differences
  • Implement rate limiting on the authentication endpoint and monitor for patterns of enumeration attempts

Generated by OpenCVE AI on April 18, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6f65-4fv2-wwch Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
History

Thu, 26 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vendure:vendure:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Vendure
Vendure vendure
Vendors & Products Vendure
Vendure vendure

Fri, 30 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue.
Title Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
Weaknesses CWE-202
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Vendure Vendure
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-30T15:45:50.463Z

Reserved: 2026-01-28T14:50:47.888Z

Link: CVE-2026-25050

cve-icon Vulnrichment

Updated: 2026-01-30T15:45:40.636Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T16:16:13.967

Modified: 2026-02-26T21:59:27.637

Link: CVE-2026-25050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses