VYPR
Unrated severityOSV Advisory· Published Feb 2, 2026· Updated Feb 4, 2026

PolarLearn Affected by User Enumeration via Argon2 Timing Attack on Sign-In Endpoint

CVE-2026-25222

Description

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Polarnl/PolarlearnOSV2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=0-PRERELEASE-15

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.