Description
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The /api/auth/login endpoint in older Sync‑in Server releases incorrectly uses the timing of its response to indicate whether a given username exists. By measuring the time difference between responses for existing and non‑existent usernames, an unauthenticated remote attacker can enumerate every valid account on the system. This flaw exposes the system to credential discovery, which can subsequently aid in privilege escalation or other lateral moves. The weakness is a timing channel (CWE‑208). Attackers need only send HTTP requests to the login endpoint; no prior authentication is required.

Affected Systems

The flaw is present in all Sync‑in Server releases before version 2.2.0. The vendor has released a patched version, 2.2.0, which eliminates the timing discrepancy. Systems running older versions without the fix are susceptible.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high risk. Because EPSS data is not available, the likelihood of exploitation cannot be quantified, but the vulnerability is exploitable remotely from any host with network connectivity to the service. The issue is not yet listed in CISA's KEV catalog, so it has not yet been confirmed as a widely exploited vulnerability. Nonetheless, the potential for username enumeration justifies prompt action, especially for services exposed to the public internet.

Generated by OpenCVE AI on May 8, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sync‑in Server to version 2.2.0 or later.
  • If an upgrade is not immediately possible, implement network‑level controls to restrict access to the /api/auth/login endpoint to trusted networks.
  • Apply rate limiting or request throttling on the login endpoint to make timing measurements more difficult.

Generated by OpenCVE AI on May 8, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-43fj-qp3h-hrh5 Sync-in Server has Username Enumeration via Timing Attack
History

Fri, 08 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Sync-in
Sync-in server
Vendors & Products Sync-in
Sync-in server

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0.
Title Username Enumeration via Timing Attack
Weaknesses CWE-208
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Sync-in Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T13:00:54.485Z

Reserved: 2026-04-17T16:34:45.524Z

Link: CVE-2026-41161

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T14:16:33.093

Modified: 2026-05-08T16:08:15.570

Link: CVE-2026-41161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T15:30:05Z

Weaknesses