CVE-2026-41418: CWE-208: Observable Timing Discrepancy in RARgames 4gaBoards
4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). When an invalid username/email is provided, the server responds immediately (~17ms average). When a valid username/email is provided with an incorrect password, the server first performs a bcrypt.compareSync() operation (~74ms average) before responding. This ~4.4× timing difference is trivially detectable even over a network — a single request suffices. This vulnerability is fixed in 3.3.5.
AI Analysis
Technical Summary
4gaBoards prior to version 3.3.5 is vulnerable to user enumeration via a timing side-channel in its login API endpoint (/api/access-tokens). When an invalid username or email is submitted, the server returns a response in about 17 milliseconds on average. However, when a valid username/email is submitted with an incorrect password, the server performs a bcrypt.compareSync() operation that takes approximately 74 milliseconds before responding. This creates a measurable timing discrepancy (~4.4× difference) that allows attackers to distinguish valid usernames from invalid ones by measuring response times. This vulnerability is identified as CWE-208 and has a CVSS 3.1 base score of 5.3, indicating medium severity. The vulnerability is resolved in version 3.3.5 of 4gaBoards.
Potential Impact
An attacker can enumerate valid usernames or email addresses on vulnerable versions of 4gaBoards by exploiting the timing discrepancy in the login endpoint. This information disclosure can aid further targeted attacks such as phishing or brute force attempts. The vulnerability does not impact confidentiality of passwords or system integrity directly, nor does it affect availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade 4gaBoards to version 3.3.5 or later, where this timing side-channel vulnerability has been fixed. Since no official patch link or advisory is provided, verify the upgrade through the vendor's official release notes or update channels. No additional mitigation is indicated or required beyond applying the fixed version.
CVE-2026-41418: CWE-208: Observable Timing Discrepancy in RARgames 4gaBoards
Description
4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). When an invalid username/email is provided, the server responds immediately (~17ms average). When a valid username/email is provided with an incorrect password, the server first performs a bcrypt.compareSync() operation (~74ms average) before responding. This ~4.4× timing difference is trivially detectable even over a network — a single request suffices. This vulnerability is fixed in 3.3.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
4gaBoards prior to version 3.3.5 is vulnerable to user enumeration via a timing side-channel in its login API endpoint (/api/access-tokens). When an invalid username or email is submitted, the server returns a response in about 17 milliseconds on average. However, when a valid username/email is submitted with an incorrect password, the server performs a bcrypt.compareSync() operation that takes approximately 74 milliseconds before responding. This creates a measurable timing discrepancy (~4.4× difference) that allows attackers to distinguish valid usernames from invalid ones by measuring response times. This vulnerability is identified as CWE-208 and has a CVSS 3.1 base score of 5.3, indicating medium severity. The vulnerability is resolved in version 3.3.5 of 4gaBoards.
Potential Impact
An attacker can enumerate valid usernames or email addresses on vulnerable versions of 4gaBoards by exploiting the timing discrepancy in the login endpoint. This information disclosure can aid further targeted attacks such as phishing or brute force attempts. The vulnerability does not impact confidentiality of passwords or system integrity directly, nor does it affect availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade 4gaBoards to version 3.3.5 or later, where this timing side-channel vulnerability has been fixed. Since no official patch link or advisory is provided, verify the upgrade through the vendor's official release notes or update channels. No additional mitigation is indicated or required beyond applying the fixed version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T15:32:33.813Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebc30587115cfb68680b0a
Added to database: 4/24/2026, 7:22:45 PM
Last enriched: 4/24/2026, 7:36:20 PM
Last updated: 4/24/2026, 9:37:30 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.