Description
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms).
Published: 2026-02-02
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Enumeration
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a timing side‑channel on PolarLearn’s sign‑in API. Attackors measuring response times can determine whether an email address is registered, allowing them to enumerate valid user accounts. The flaw originates because the Argon2 password hash is computed only when the user exists, producing a noticeable delay that is exploitable through simple timing measurements. This exposure of sensitive information maps to CWE‑200.

Affected Systems

PolarLearn versions 0‑PRERELEASE‑15 and earlier are affected. The project resides on GitHub under the polarnl organization; only these releases contain the vulnerable logic. Newer releases are presumed to have addressed the issue.

Risk and Exploitability

The CVSS base score is 6.3, indicating moderate severity. EPSS reports a very low exploitation probability (< 1 %). The vulnerability is not listed in the KEV catalog. The attack vector is network‑based and does not require privileged access; any unauthenticated user with connectivity to the sign‑in endpoint can iterate over email addresses and observe timing differences, enabling user enumeration.

Generated by OpenCVE AI on April 18, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PolarLearn to a version after 0-PRERELEASE-15 or modify the login routine to compute the Argon2 hash for every request.
  • Deploy rate limiting or a traffic obfuscation layer on the login endpoint to reduce the timing resolution available to attackers.
  • Monitor login traffic for repeated attempts to detect enumeration or credential‑guessing activity.

Generated by OpenCVE AI on April 18, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Polarlearn
Polarlearn polarlearn
CPEs cpe:2.3:a:polarlearn:polarlearn:-:*:*:*:*:*:*:*
Vendors & Products Polarlearn
Polarlearn polarlearn
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 04 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Polarnl
Polarnl polarlearn
Vendors & Products Polarnl
Polarnl polarlearn

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms).
Title PolarLearn Affected by User Enumeration via Argon2 Timing Attack on Sign-In Endpoint
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Polarlearn Polarlearn
Polarnl Polarlearn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:09:06.648Z

Reserved: 2026-01-30T14:44:47.327Z

Link: CVE-2026-25222

cve-icon Vulnrichment

Updated: 2026-02-04T21:09:01.634Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:09.923

Modified: 2026-02-20T20:48:00.380

Link: CVE-2026-25222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses