CVE-2026-4045 is a vulnerability identified in projectsend, an open-source file sharing application, specifically affecting versions up to revision r1945. The issue resides in the authentication component, within the includes/Classes/Auth.php file. By manipulating the ldap_email argument, an attacker can induce observable response discrepancies, which may allow them to infer sensitive information or system behavior remotely. This side-channel type vulnerability does not require authentication or user interaction, but the attack complexity is high, indicating that exploitation demands significant skill or conditions. The CVSS 4.0 base score is 6.3 (medium), reflecting network attack vector, high complexity, no privileges required, no user interaction, and limited impact on confidentiality only. No integrity or availability impacts are noted. The vendor was contacted early but has not issued a patch or response, and no official fixes are currently available. Although an exploit has been published, there are no confirmed active exploitations in the wild. This vulnerability could be leveraged in targeted reconnaissance or as part of a multi-stage attack to gather information about the authentication process or user data. Given the lack of patch and public exploit, organizations using projectsend should be vigilant and implement compensating controls.

The primary impact of CVE-2026-4045 is a potential confidentiality breach through side-channel information leakage caused by response discrepancies when manipulating the ldap_email parameter. While it does not directly allow code execution, privilege escalation, or denial of service, attackers could use this vulnerability to gather sensitive authentication-related information remotely. This could facilitate further targeted attacks or credential harvesting. The high complexity reduces the likelihood of widespread exploitation, but determined adversaries with sufficient resources might exploit it in high-value environments. Organizations relying on projectsend for secure file sharing may face increased risk of information disclosure, potentially undermining trust and compliance with data protection regulations. The lack of vendor response and patch availability prolongs exposure, increasing the window of risk. Overall, the impact is moderate but could be significant in environments where confidentiality of authentication data is critical.

Since no official patch is available, organizations should implement several practical mitigations: 1) Restrict external access to projectsend instances by using network segmentation, firewalls, or VPNs to limit exposure to trusted users only. 2) Monitor and log unusual requests targeting the ldap_email parameter or exhibiting anomalous response patterns indicative of exploitation attempts. 3) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious input manipulations related to ldap_email. 4) Consider temporarily disabling or restricting LDAP authentication integration if feasible until a patch is released. 5) Keep projectsend installations updated and subscribe to vendor or community channels for any forthcoming patches or advisories. 6) Conduct regular security assessments and penetration tests focusing on authentication mechanisms to detect similar side-channel vulnerabilities. 7) Educate administrators and users about the risk and encourage strong authentication practices to reduce potential impact. These targeted measures go beyond generic advice and address the specific nature of this vulnerability.