Skip to main content

4ga Boards CVE-2026-41418

| EUVDEUVD-2026-25612 MEDIUM
Observable Timing Discrepancy (CWE-208)
2026-04-24 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 19:10 nvd
Patch available
Patch available
Apr 24, 2026 - 21:02 EUVD
Analysis Generated
Apr 24, 2026 - 19:46 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 19:15 euvd
EUVD-2026-25612
Analysis Generated
Apr 24, 2026 - 19:15 vuln.today
CVE Published
Apr 24, 2026 - 18:49 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). When an invalid username/email is provided, the server responds immediately (~17ms average). When a valid username/email is provided with an incorrect password, the server first performs a bcrypt.compareSync() operation (~74ms average) before responding. This ~4.4× timing difference is trivially detectable even over a network - a single request suffices. This vulnerability is fixed in 3.3.5.

AnalysisAI

4ga Boards prior to version 3.3.5 leaks valid usernames and email addresses through response timing analysis on the login endpoint. An unauthenticated attacker can distinguish between invalid credentials (where the username/email does not exist) and valid credentials with an incorrect password by measuring response times, with a ~4.4× timing difference detectable in a single request over the network. This enables user enumeration attacks without brute-force constraints, allowing reconnaissance for subsequent account takeover attempts.

Technical ContextAI

The vulnerability exploits a timing side-channel in the POST /api/access-tokens login endpoint. The root cause (CWE-208: Observable Timing Discrepancy) stems from the application's conditional execution flow: when an invalid username or email is submitted, the server returns immediately (~17ms) without attempting password verification. When a valid username or email is provided, the server executes bcrypt.compareSync() to verify the password (~74ms) before responding. Since bcrypt is computationally expensive by design, this comparison introduces a measurable delay. The timing differential is large enough to be reliably detected over network latency, which typically adds 10-50ms jitter. The application uses the standard cpe:2.3:a:rargames:4gaboards product CPE, indicating this affects the core 4ga Boards product line across affected versions.

RemediationAI

Upgrade 4ga Boards to version 3.3.5 or later, which includes the fix for the timing side-channel vulnerability. If immediate patching is not possible, implement the following compensating control: modify the login endpoint to add artificial delay or constant-time comparison logic so that both valid and invalid username responses have identical latency profiles (e.g., always execute a bcrypt comparison operation regardless of username validity, or add a fixed delay such that all responses return after ~100ms). This mitigates user enumeration but does not eliminate the vulnerability and may degrade user experience. Rate-limiting on the /api/access-tokens endpoint (e.g., 5 requests per IP per minute) can reduce the statistical reliability of timing attacks but does not prevent them entirely. The primary recommended action is to deploy version 3.3.5 or later from the vendor advisory URL.

Share

CVE-2026-41418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy