Common Weakness Enumeration

CWE-208

Allowed

Observable Timing Discrepancy

Abstraction: Base · Status: Incomplete

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

306 vulnerabilities reference this CWE, most recent first.

GHSA-95C6-P277-P87G

Vulnerability from github – Published: 2026-01-21 22:27 – Updated: 2026-01-22 15:40
VLAI
Summary
FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection
Details

Impact

Timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks.

Affected: all users relying on verify_key() for API key authentication prior to the fix.

Patches

Yes. Users should upgrade to version 1.1.0 (or the version containing this fix). The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation.

Workarounds

  • Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied.
  • Use rate limiting to reduce the feasibility of statistical timing attacks.

References

  • CWE-208: Observable Timing Discrepancy
  • Commit: 87b27640f77c5ef86c46311b6b5a7e2887e35b77
  • OWASP: https://owasp.org/www-community/attacks/Timing_attack
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "fastapi-api-key"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T22:27:39Z",
    "nvd_published_at": "2026-01-21T23:15:53Z",
    "severity": "LOW"
  },
  "details": "### Impact\nTiming side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks.\n\nAffected: all users relying on verify_key() for API key authentication prior to the fix.\n\n### Patches\nYes. Users should upgrade to version 1.1.0 (or the version containing this fix). The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation.\n\n### Workarounds\n- Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied.\n- Use rate limiting to reduce the feasibility of statistical timing attacks.\n\n### References\n- CWE-208: Observable Timing Discrepancy\n- Commit: 87b27640f77c5ef86c46311b6b5a7e2887e35b77\n- OWASP: https://owasp.org/www-community/attacks/Timing_attack",
  "id": "GHSA-95c6-p277-p87g",
  "modified": "2026-01-22T15:40:29Z",
  "published": "2026-01-21T22:27:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23996"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Athroniaeth/fastapi-api-key"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection"
}

GHSA-95QG-PCPR-8WR9

Vulnerability from github – Published: 2026-07-15 00:31 – Updated: 2026-07-15 00:31
VLAI
Details

HCL BigFix Platform is affected by a user enumeration vulnerability which might allow an attacker, through careful system control and response time monitoring, to perform some level of user enumeration for the BigFix service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T22:16:52Z",
    "severity": "LOW"
  },
  "details": "HCL BigFix Platform is affected by a user enumeration vulnerability which might allow an attacker, through careful system control and response time monitoring, to perform some level of user enumeration for the BigFix service.",
  "id": "GHSA-95qg-pcpr-8wr9",
  "modified": "2026-07-15T00:31:40Z",
  "published": "2026-07-15T00:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21840"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0132093"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-974V-C5M7-M9WC

Vulnerability from github – Published: 2024-04-25 18:30 – Updated: 2024-04-25 18:30
VLAI
Details

A timing-based side-channel flaw exists in the perl-Crypt-OpenSSL-RSA package, which could be sufficient to recover plaintext across a network in a Bleichenbacher-style attack. To achieve successful decryption, an attacker would have to be able to send a large number of trial messages. The vulnerability affects the legacy PKCS#1v1.5 RSA encryption padding mode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-25T17:15:49Z",
    "severity": "MODERATE"
  },
  "details": "A timing-based side-channel flaw exists in the perl-Crypt-OpenSSL-RSA package, which could be sufficient to recover plaintext across a network in a Bleichenbacher-style attack. To achieve successful decryption, an attacker would have to be able to send a large number of trial messages. The vulnerability affects the legacy PKCS#1v1.5 RSA encryption padding mode.",
  "id": "GHSA-974v-c5m7-m9wc",
  "modified": "2024-04-25T18:30:39Z",
  "published": "2024-04-25T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2467"
    },
    {
      "type": "WEB",
      "url": "https://github.com/toddr/Crypt-OpenSSL-RSA/issues/42"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-2467"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269567"
    },
    {
      "type": "WEB",
      "url": "https://people.redhat.com/~hkario/marvin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-98Q5-3V5R-QVFH

Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-15 12:32
VLAI
Details

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing measurements.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-15T12:18:15Z",
    "severity": "MODERATE"
  },
  "details": "Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing measurements.",
  "id": "GHSA-98q5-3v5r-qvfh",
  "modified": "2026-07-15T12:32:02Z",
  "published": "2026-07-15T12:32:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/security/advisories/GHSA-gq3j-xvxp-8hrf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56764"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/hono-timing-attack-in-basicauth-and-bearerauth-middleware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9F3H-4XVQ-5R5Q

Vulnerability from github – Published: 2022-12-28 21:30 – Updated: 2023-01-06 21:30
VLAI
Details

A vulnerability, which was classified as problematic, was found in InSTEDD Nuntium. Affected is an unknown function of the file app/controllers/geopoll_controller.rb. The manipulation of the argument signature leads to observable timing discrepancy. It is possible to launch the attack remotely. The name of the patch is 77236f7fd71a0e2eefeea07f9866b069d612cf0d. It is recommended to apply a patch to fix this issue. VDB-217002 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-28T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, was found in InSTEDD Nuntium. Affected is an unknown function of the file app/controllers/geopoll_controller.rb. The manipulation of the argument signature leads to observable timing discrepancy. It is possible to launch the attack remotely. The name of the patch is 77236f7fd71a0e2eefeea07f9866b069d612cf0d. It is recommended to apply a patch to fix this issue. VDB-217002 is the identifier assigned to this vulnerability.",
  "id": "GHSA-9f3h-4xvq-5r5q",
  "modified": "2023-01-06T21:30:42Z",
  "published": "2022-12-28T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4823"
    },
    {
      "type": "WEB",
      "url": "https://github.com/instedd/nuntium/commit/77236f7fd71a0e2eefeea07f9866b069d612cf0d"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217002"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GMJ-V2M8-QFFV

Vulnerability from github – Published: 2024-12-29 09:30 – Updated: 2024-12-31 21:30
VLAI
Details

GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-29T07:15:06Z",
    "severity": "MODERATE"
  },
  "details": "GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.",
  "id": "GHSA-9gmj-v2m8-qffv",
  "modified": "2024-12-31T21:30:45Z",
  "published": "2024-12-29T09:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56738"
    },
    {
      "type": "WEB",
      "url": "https://savannah.gnu.org/bugs/?66603"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GRJ-J43M-MJQR

Vulnerability from github – Published: 2022-06-24 00:00 – Updated: 2022-12-05 23:37
VLAI
Summary
Observable timing discrepancy allows determining username validity in Jenkins
Details

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames.

Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.334"
            },
            {
              "fixed": "2.356"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.332.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-34174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-05T23:37:15Z",
    "nvd_published_at": "2022-06-23T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames.\n\nLogin attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.",
  "id": "GHSA-9grj-j43m-mjqr",
  "modified": "2022-12-05T23:37:15Z",
  "published": "2022-06-24T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/957ef5902f2e40b6358e6d10f12b26f9dbd2f75a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Observable timing discrepancy allows determining username validity in Jenkins"
}

GHSA-9H64-2846-7X7F

Vulnerability from github – Published: 2026-05-06 23:13 – Updated: 2026-05-06 23:13
VLAI
Summary
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening
Details

Summary

Eight independently-filed bug fixes in the v7.1.3 → v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is a single platform upgrade.

Affected versions

< 7.5.0. Specific items affect different earlier minors; see Impact below.

Patched versions

>= 7.5.0.

Impact

# Item Affected Patched CWE
1 MAP execution multi-tenant isolation. A body-supplied org_id could override the Basic-auth-derived org for both execution recording and policy evaluation. In multi-tenant deployments with shared agents, this could record one tenant's request under another tenant's audit log and evaluate it under the wrong tenant's policy set. < 7.4.5 >= 7.4.5 CWE-863
2 Cross-tenant audit-log leak via evidence/explain handlers. The handlers behind /api/v1/evidence/* and /api/v1/decisions/*/explain failed open when the tenant context was missing, returning data scoped to a different tenant or returning data without scope. < 7.2.0 >= 7.2.0 CWE-200, CWE-863
3 License-validation bypass on onboard-customer. The portal customer-onboard endpoint lacked authentication and license-key validation, allowing unauthenticated callers to invoke the onboard flow. < 7.2.0 >= 7.2.0 CWE-862
4 Tenant-scope fail-open on evidence/explain. Distinct from item 2: when tenant headers were absent, the handler defaulted to a permissive read scope rather than refusing the request. < 7.2.0 >= 7.2.0 CWE-862
5 Internal-service auth fallback bypass in non-Community modes. Evaluation/Enterprise builds carried an auth fallback path that, under specific request shapes, could be exploited to bypass apiAuthMiddleware. < 7.2.0 >= 7.2.0 CWE-863
6 Login timing / org-existence disclosure on the portal. The login handler returned different timing and response bodies for invalid-org vs invalid-password, allowing org enumeration. < 7.1.3 >= 7.1.3 CWE-208
7 Portal DoS via unbounded request body. The portal accepted unbounded request bodies, allowing memory-exhaustion attacks. Capped at 1 MiB. < 7.1.5 >= 7.1.5 CWE-770
8 SQL-injection enforcement regression on try.getaxonflow.com. The Community SaaS hosted endpoint inherited the warn SQLi default introduced in v6.2.0, allowing SQL-injection-shaped requests to pass governance to the LLM. Self-hosted deployments were unaffected unless they manually changed the default. < 7.5.0 (try.getaxonflow.com only) >= 7.5.0 CWE-89

Remediation

Upgrade to AxonFlow platform v7.5.0 or later. No configuration changes required — the platform is purely additive and existing API/SDK callers continue to work.

For users who can't upgrade immediately, item-specific mitigations:

  • Items 1–5: ensure the agent middleware sets X-Org-ID / X-Tenant-ID from authenticated identity at the ingress, never accepting body-supplied identity.
  • Item 8 (Community SaaS): SQLI_ACTION=block can be set explicitly via the agent task definition; v7.5.0 makes this the default.

Resources

  • AxonFlow v7.5.0 CHANGELOG entry: https://github.com/getaxonflow/axonflow/blob/main/CHANGELOG.md
  • AxonFlow v7.5.0 GitHub Release: https://github.com/getaxonflow/axonflow/releases/tag/v7.5.0

Credit

Identified by AxonFlow internal security review during the April 2026 quality-freeze epic.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/getaxonflow/axonflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-208",
      "CWE-770",
      "CWE-862",
      "CWE-863",
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:13:27Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nEight independently-filed bug fixes in the v7.1.3 \u2192 v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is a single platform upgrade.\n\n## Affected versions\n\n`\u003c 7.5.0`. Specific items affect different earlier minors; see Impact below.\n\n## Patched versions\n\n`\u003e= 7.5.0`.\n\n## Impact\n\n| # | Item | Affected | Patched | CWE |\n|---|---|---|---|---|\n| 1 | **MAP execution multi-tenant isolation.** A body-supplied `org_id` could override the Basic-auth-derived org for both execution recording and policy evaluation. In multi-tenant deployments with shared agents, this could record one tenant\u0027s request under another tenant\u0027s audit log and evaluate it under the wrong tenant\u0027s policy set. | `\u003c 7.4.5` | `\u003e= 7.4.5` | CWE-863 |\n| 2 | **Cross-tenant audit-log leak via evidence/explain handlers.** The handlers behind `/api/v1/evidence/*` and `/api/v1/decisions/*/explain` failed open when the tenant context was missing, returning data scoped to a different tenant or returning data without scope. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-200, CWE-863 |\n| 3 | **License-validation bypass on `onboard-customer`.** The portal customer-onboard endpoint lacked authentication and license-key validation, allowing unauthenticated callers to invoke the onboard flow. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-862 |\n| 4 | **Tenant-scope fail-open on evidence/explain.** Distinct from item 2: when tenant headers were absent, the handler defaulted to a permissive read scope rather than refusing the request. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-862 |\n| 5 | **Internal-service auth fallback bypass in non-Community modes.** Evaluation/Enterprise builds carried an auth fallback path that, under specific request shapes, could be exploited to bypass `apiAuthMiddleware`. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-863 |\n| 6 | **Login timing / org-existence disclosure on the portal.** The login handler returned different timing and response bodies for invalid-org vs invalid-password, allowing org enumeration. | `\u003c 7.1.3` | `\u003e= 7.1.3` | CWE-208 |\n| 7 | **Portal DoS via unbounded request body.** The portal accepted unbounded request bodies, allowing memory-exhaustion attacks. Capped at 1 MiB. | `\u003c 7.1.5` | `\u003e= 7.1.5` | CWE-770 |\n| 8 | **SQL-injection enforcement regression on `try.getaxonflow.com`.** The Community SaaS hosted endpoint inherited the `warn` SQLi default introduced in v6.2.0, allowing SQL-injection-shaped requests to pass governance to the LLM. Self-hosted deployments were unaffected unless they manually changed the default. | `\u003c 7.5.0` (try.getaxonflow.com only) | `\u003e= 7.5.0` | CWE-89 |\n\n## Remediation\n\nUpgrade to AxonFlow platform **v7.5.0** or later. No configuration changes required \u2014 the platform is purely additive and existing API/SDK callers continue to work.\n\nFor users who can\u0027t upgrade immediately, item-specific mitigations:\n\n- **Items 1\u20135:** ensure the agent middleware sets `X-Org-ID` / `X-Tenant-ID` from authenticated identity at the ingress, never accepting body-supplied identity.\n- **Item 8 (Community SaaS):** `SQLI_ACTION=block` can be set explicitly via the agent task definition; v7.5.0 makes this the default.\n\n## Resources\n\n- AxonFlow v7.5.0 CHANGELOG entry: https://github.com/getaxonflow/axonflow/blob/main/CHANGELOG.md\n- AxonFlow v7.5.0 GitHub Release: https://github.com/getaxonflow/axonflow/releases/tag/v7.5.0\n\n## Credit\n\nIdentified by AxonFlow internal security review during the April 2026 quality-freeze epic.",
  "id": "GHSA-9h64-2846-7x7f",
  "modified": "2026-05-06T23:13:27Z",
  "published": "2026-05-06T23:13:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getaxonflow/axonflow/security/advisories/GHSA-9h64-2846-7x7f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getaxonflow/axonflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getaxonflow/axonflow/blob/main/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getaxonflow/axonflow/releases/tag/v7.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening"
}

GHSA-9H6G-6MXG-VVP4

Vulnerability from github – Published: 2021-04-19 14:47 – Updated: 2021-10-08 21:24
VLAI
Summary
Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
Details

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.

  • https://vaadin.com/security/cve-2021-31406
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "18.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-16T23:13:06Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Non-constant-time comparison of CSRF tokens in endpoint request handler in `com.vaadin:flow-server` versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.\n\n- https://vaadin.com/security/cve-2021-31406",
  "id": "GHSA-9h6g-6mxg-vvp4",
  "modified": "2021-10-08T21:24:35Z",
  "published": "2021-04-19T14:47:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/platform/security/advisories/GHSA-9h6g-6mxg-vvp4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/platform"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2021-31406"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Timing side channel vulnerability in endpoint request handler in Vaadin 15-19"
}

GHSA-9HCM-HR65-2825

Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2024-10-29 15:32
VLAI
Details

mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server's response time, potentially leading to unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T13:15:08Z",
    "severity": "HIGH"
  },
  "details": "mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server\u0027s response time, potentially leading to unauthorized access.",
  "id": "GHSA-9hcm-hr65-2825",
  "modified": "2024-10-29T15:32:05Z",
  "published": "2024-10-29T15:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7010"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mudler/localai/commit/db1159b6511e8fa09e594f9db0fec6ab4e142468"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/e286ed00-6383-47de-b5bc-9b9fad67c362"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-462: Cross-Domain Search Timing

An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.

CAPEC-541: Application Fingerprinting

An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

CAPEC-580: System Footprinting

An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.