CVE-2026-25050

MEDIUM

Vendure < 3.5.3 - Timing Attack Enumerating Valid Usernames via NativeAuthenticationStrategy

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-25050. PoCs published by XiaomingX, Christbowel.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes data extraction logic for WordPress admin credentials and hashes.

Description

Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25050

View Code ZIP pw:eip

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes data extraction logic for WordPress admin credentials and hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Christbowel · poc

https://github.com/Christbowel/CVE-2026-25050

View Code ZIP pw:eip

This PoC demonstrates a timing attack (CVE-2026-25050) against an authentication endpoint, allowing user enumeration by measuring response time differences between existing and non-existing users.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: NativeAuthenticationStrategy (version not specified)

No auth needed

Prerequisites: Network access to the target endpoint · A wordlist of potential usernames/emails

MITRE ATT&CK

T1592 - Gather Victim Host Information T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch

Release Notes x_refsource_misc

https://github.com/vendurehq/vendure/releases/tag/v3.5.3

Scores

CVSS v3 5.3

EPSS 0.0002

EPSS Percentile 6.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-202

Status published

Products (2)

vendure/core 0 - 3.5.3npm

vendure/vendure < 3.5.3

Published Jan 30, 2026

Tracked Since Feb 18, 2026