CVE-2026-41418: CWE-208: Observable Timing Discrepancy in RARgames 4gaBoards
CVE-2026-41418 is a timing side-channel vulnerability in 4ga Boards versions prior to 3. 3. 5 that allows user enumeration via the login endpoint. The server responds significantly faster when an invalid username/email is provided compared to a valid username/email with an incorrect password, due to the bcrypt. compareSync() operation. This timing difference is easily detectable over a network with a single request. The vulnerability has a medium severity with a CVSS score of 5. 3 and is fixed in version 3. 3. 5.
AI Analysis
Technical Summary
4ga Boards, a realtime project management board system by RARgames, has a timing discrepancy vulnerability (CWE-208) in its login API (POST /api/access-tokens) in versions before 3.3.5. When an invalid username/email is submitted, the server responds immediately (~17ms), whereas for a valid username/email with a wrong password, the server performs a bcrypt.compareSync() operation (~74ms) before responding. This ~4.4× timing difference enables attackers to enumerate valid usernames or emails by measuring response times. The issue is resolved in version 3.3.5.
Potential Impact
An attacker can determine valid usernames or email addresses registered in the 4ga Boards system by measuring response times from the login endpoint. This user enumeration can facilitate targeted attacks such as phishing or password guessing. The vulnerability does not directly disclose passwords or allow unauthorized access but leaks information about valid user accounts.
Mitigation Recommendations
Upgrade 4ga Boards to version 3.3.5 or later, where this timing side-channel vulnerability has been fixed. No other mitigation is indicated or required according to the available data.
CVE-2026-41418: CWE-208: Observable Timing Discrepancy in RARgames 4gaBoards
Description
CVE-2026-41418 is a timing side-channel vulnerability in 4ga Boards versions prior to 3. 3. 5 that allows user enumeration via the login endpoint. The server responds significantly faster when an invalid username/email is provided compared to a valid username/email with an incorrect password, due to the bcrypt. compareSync() operation. This timing difference is easily detectable over a network with a single request. The vulnerability has a medium severity with a CVSS score of 5. 3 and is fixed in version 3. 3. 5.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
4ga Boards, a realtime project management board system by RARgames, has a timing discrepancy vulnerability (CWE-208) in its login API (POST /api/access-tokens) in versions before 3.3.5. When an invalid username/email is submitted, the server responds immediately (~17ms), whereas for a valid username/email with a wrong password, the server performs a bcrypt.compareSync() operation (~74ms) before responding. This ~4.4× timing difference enables attackers to enumerate valid usernames or emails by measuring response times. The issue is resolved in version 3.3.5.
Potential Impact
An attacker can determine valid usernames or email addresses registered in the 4ga Boards system by measuring response times from the login endpoint. This user enumeration can facilitate targeted attacks such as phishing or password guessing. The vulnerability does not directly disclose passwords or allow unauthorized access but leaks information about valid user accounts.
Mitigation Recommendations
Upgrade 4ga Boards to version 3.3.5 or later, where this timing side-channel vulnerability has been fixed. No other mitigation is indicated or required according to the available data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T15:32:33.813Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebc30587115cfb68680b0a
Added to database: 4/24/2026, 7:22:45 PM
Last enriched: 5/1/2026, 8:41:25 PM
Last updated: 6/8/2026, 5:08:32 PM
Views: 64
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.