The flaw resides in the /api/auth/login endpoint of Cleanuparr between versions 2.7.0 and 2.8.0. The VerifyPassword function performs the most time‑consuming work, but short‑circuits occur before hashing when the supplied username is invalid. This timing differential allows an unauthenticated attacker to infer whether a username exists by measuring response times, resulting in information disclosure rather than direct code execution or denial of service. The weakness is classified as CWE-208 (Timing Channel).

Affected vendors of the vulnerability are Cleanuparr:Cleanuparr, specifically the Cleanuparr Project. The impacted versions are 2.7.0 through 2.8.0, as indicated by the vulnerability description. The relevant component is the /api/auth/login endpoint, accessed via the API exposed by the Cleanuparr application.

The CVSS score for this vulnerability is 6.9, indicating a moderate severity. The EPSS score is less than 1 % and the issue is not listed in the CISA KEV catalog, suggesting that exploitation is unlikely in the wild but not impossible. The attack requires an attacker who can send unauthenticated requests to the public API endpoint and perform precise timing measurements, which is technically feasible for a network‑connected attacker. The resulting impact is the exposure of valid usernames, enabling attackers to focus subsequent credential‑guessing or social‑engineering attacks.