CWE-208

Observable Timing Discrepancy

Parent: CWE-203 - Observable Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

137 vulnerabilities with CWE-208
CVE-2026-54411 MEDIUM
Linux-PAM < 1.7.2 - Observable Timing Discrepancy
CVSS 5.9
CVE-2026-48011 LOW
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
CVSS 3.7
CVE-2026-48859 MEDIUM
SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration
CVSS 5.3
CVE-2026-5419 LOW
gnutls - Observable Timing Discrepancy in PKCS#7 Padding Check
CVSS 3.7
CVE-2026-45410 MEDIUM
Time-based user enumeration in TREK authentication endpoint
CVSS 5.3
CVE-2026-5091 MEDIUM
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks
CVSS 5.1
CVE-2026-44061 MEDIUM
Netatalk 1.5.0-4.4.2 and >=4.5.0 - Observable Timing Discrepancy via DES-ECB Authentication
CVSS 5.9
CVE-2026-47373 HIGH
Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks
CVSS 7.5
CVE-2026-47784 HIGH
memcached < 1.6.42 - Observable Timing Discrepancy in SASL Password Authentication
CVSS 8.1
CVE-2026-47783 HIGH
memcached < 1.6.42 - Observable Timing Discrepancy in SASL Username Validation
CVSS 8.1
CVE-2026-44368 MEDIUM
PyQuorum: Timing side‑channel in mul_mod
CVE-2026-42602 HIGH
azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
CVSS 8.1
CVE-2026-43514 LOW
Apache Tomcat: AJP secret compared in non-constant time
CVSS 3.7
CVE-2026-41588 CRITICAL
RELATE: Timing Attack Vulnerability in course/auth.py — check_sign_in_key()
CVSS 9.0
CVE-2026-41161 MEDIUM
Username Enumeration via Timing Attack
CVSS 5.3
CVE-2026-33006 MEDIUM
Apache HTTP Server: mod_auth_digest timing attack
CVSS 4.8
CVE-2026-41263 LOW
Traefik: BasicAuth middleware: timing side-channel vulnerability
CVSS 3.7
CVE-2026-41407 LOW
OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison
CVSS 3.7
CVE-2026-40972 HIGH
Spring Boot 2.7.0-2.7.32, 3.3.0-3.3.18, 3.4.0-3.4.15, 3.5.0-3.5.13, 4.0.0-4.0.5 - Timing Discrepancy in DevTools
CVSS 7.5
CVE-2026-41244 MEDIUM
Mojic: Observable Timing Discrepancy in HMAC Verification
CVSS 4.7
CVE-2026-41418 MEDIUM
4ga Boards: User Enumeration via Timing Side-Channel in Authentication Endpoint
CVSS 5.3
CVE-2026-22746 LOW
User Attribute Enumeration when Using DaoAuthenticationProvider
CVSS 3.7
CVE-2026-40263 LOW
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
CVSS 3.7
CVE-2026-33877 LOW
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
CVSS 3.7
CVE-2026-5086 HIGH
Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks
CVSS 7.5
Details
Vulnerabilities 137
Links
MITRE CWE Entry Search this CWE With Exploits