Description
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a timing-based user enumeration flaw in Filament’s login page, observable from versions 4.0.0 through 4.11.5 and 5.6.5. By measuring the response time to different email addresses, an unauthenticated attacker can determine whether a given email is registered. The underlying weakness is a timing side channel (CWE‑208) that leaks confidential information about account existence but does not grant authentication or privilege escalation.

Affected Systems

FilamentPHP’s Filament framework is affected. Any deployment using Filament versions 4.0.0 up to and including 4.11.5, or 5.6.5, is vulnerable. The issue is fixed in Filament 4.11.5 and 5.6.5 and later releases.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available, suggesting a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attack involves sending login requests to the exposed login endpoint; the attacker only needs to observe response timing, making this a low-barrier, remote, unauthenticated attack with no privilege escalation required.

Generated by OpenCVE AI on June 22, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Filament to version 4.11.5 or 5.6.5 or later to eliminate the timing discrepancy.
  • Implement rate limiting or throttling on the login endpoint to reduce the feasibility of timing attacks.
  • Monitor authentication logs for repeated rapid login attempts that could indicate enumeration activity.

Generated by OpenCVE AI on June 22, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.
Title Filament: Timing-based user enumeration on login page
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T21:42:37.340Z

Reserved: 2026-05-20T23:12:43.032Z

Link: CVE-2026-48166

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses
  • CWE-208

    Observable Timing Discrepancy