CVE-2026-41161

UNKNOWN 0.0

Username Enumeration via Timing Attack

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0.

CWE	CWE-208
Vendor	sync-in
Product	server
Published	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for sync-in server

Be the first to know when new unknown vulnerabilities affecting sync-in server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Sync-in / server

< 2.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Sync-in/server/security/advisories/GHSA-43fj-qp3h-hrh5 github.com: https://github.com/Sync-in/server/releases/tag/v2.2.0