EIP-2026-104164

PRE-CVE

Apache Superset 1.1.0 - Time-Based Account Enumeration

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104164. PoCs published by Dolev Farhi.

AI-analyzed exploit summary This exploit demonstrates a time-based account enumeration vulnerability in Apache Superset 1.1.0 by measuring the response time for login attempts with different usernames. The longer response times indicate valid usernames due to the application's behavior during authentication.

Description

Apache Superset 1.1.0 - Time-Based Account Enumeration

Exploits (1)

exploitdb WORKING POC

by Dolev Farhi · pythonwebappsmultiple

https://www.exploit-db.com/exploits/50072

View Code ZIP pw:eip

This exploit demonstrates a time-based account enumeration vulnerability in Apache Superset 1.1.0 by measuring the response time for login attempts with different usernames. The longer response times indicate valid usernames due to the application's behavior during authentication.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Apache Superset 1.1.0

No auth needed

Prerequisites: Network access to the target Superset instance · A list of usernames to test

MITRE ATT&CK

T1589 - Gather Victim Identity Information T1082 - System Information Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026