CVE-2026-41161

Vulnerability

Overview

CVE-2026-41161 is a timing-based username enumeration vulnerability in Sync-in Server, an open-source file storage and collaboration platform. The flaw resides in the /api/auth/login endpoint, specifically within the compareUserPassword function. When an invalid username is provided, the function returns early after failing to find a user record, resulting in a significantly shorter response time (approximately 95–100 ms) compared to a valid username (approximately 350–400 ms) [4]. This timing discrepancy allows an unauthenticated remote attacker to distinguish between valid and invalid usernames.

Exploitation

An attacker can exploit this vulnerability by sending authentication requests to the /api/auth/login endpoint with different usernames and measuring the server's response time. No authentication is required, and the attack can be performed remotely over the network. The timing difference was validated using tools such as the TickTock Enum Burp Suite extension [4]. The attack surface is the login endpoint, which is typically exposed to the internet.

Impact

Successful exploitation enables an unauthenticated remote attacker to enumerate valid usernames on the Sync-in Server instance. This information significantly weakens the application's security posture by facilitating targeted attacks, including brute-force password guessing, credential stuffing, and social engineering campaigns [4]. The enumeration itself does not grant access but is a critical stepping stone for further compromise.

Mitigation

The vulnerability has been patched in Sync-in Server version 2.2.0 [2]. The fix involves security hardening of the Basic Auth mechanism to ensure consistent response timing regardless of whether a username is valid [2]. Users are strongly advised to upgrade to version 2.2.0 or later. No workarounds have been publicly documented.