Tick-Tock-Pwn: Timing Side-Channels in OctoPrint
Vulnerability ID: CVE-2026-23892
CVSS Score: 6.0
Published: 2026-01-27
A classic timing side-channel vulnerability in OctoPrint allows attackers on the local network to guess API keys character-by-character by measuring how long the server takes to say 'no'.
TL;DR
OctoPrint versions up to 1.11.5 used standard string comparison for API keys. This optimization leaks information about how much of the key is correct based on response time. An attacker on the LAN can exploit this to brute-force the API key and take full control of the printer.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-208 (Observable Timing Discrepancy)
- CVSS v4.0: 6.0 (Medium)
- Attack Vector: Adjacent (LAN)
- Attack Complexity: High (Requires statistical analysis)
- Impact: High (API Key Extraction)
- Exploit Status: Theoretical / PoC Feasible
Affected Systems
- OctoPrint <= 1.11.5
-
OctoPrint: <= 1.11.5 (Fixed in:
1.11.6)
Code Analysis
Commit: 249fd80
Primary fix: replace equality operator with hmac.compare_digest
- if apikey == user._apikey:
+ if hmac.compare_digest(apikey, user._apikey):
Commit: 0bd35dd
Follow-up fix: handle None values in API key comparison
+ if user._apikey is None: continue
if hmac.compare_digest(apikey, user._apikey):
Mitigation Strategies
- Upgrade OctoPrint to version 1.11.6 or later.
- Isolate 3D printers on a separate VLAN or use a VPN for remote access.
- Regenerate API keys after patching if you suspect a compromise.
Remediation Steps:
- Log in to the OctoPrint interface.
- Check for software updates in the Settings menu.
- Apply the update to 1.11.6+.
- Go to Settings > API and generate a new API key to invalidate potentially stolen ones.
References
Read the full report for CVE-2026-23892 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)