DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48166: CVE-2026-48166: Timing-Based User Enumeration on Login Page in Filament

#security #cve #cybersecurity

CVE-2026-48166: Timing-Based User Enumeration on Login Page in Filament

Vulnerability ID: CVE-2026-48166
CVSS Score: 5.3
Published: 2026-06-23

An observable timing discrepancy vulnerability (CWE-208) in Filament's administrative login page allows unauthenticated remote attackers to determine the existence of registered email addresses. This timing side-channel arises from short-circuiting logic that skips expensive password hashing checks when a queried email address is not found in the database. Attackers can execute statistical timing attacks to map active administrator accounts, facilitating subsequent targeted brute-force or credential-stuffing campaigns.

TL;DR

A timing-based user enumeration vulnerability in Filament login pages allows unauthenticated remote attackers to identify valid registered email addresses due to a short-circuiting logic flaw in the authentication mechanism.

Technical Details

  • CWE ID: CWE-208
  • Attack Vector: Network (AV:N)
  • CVSS v3.1 Score: 5.3 (Medium)
  • EPSS Score: 0.0021
  • Exploit Status: None
  • KEV Status: Not Listed

Affected Systems

  • filament/filament
  • Filament Panels
  • Filament Auth Page
  • filament/filament: >= 4.0.0, < 4.11.5 (Fixed in: 4.11.5)
  • filament/filament: >= 5.0.0, < 5.6.5 (Fixed in: 5.6.5)

Code Analysis

Commit: 33a9f57

Prevent timing attacks during authentication and multi-factor verification using Timebox

Mitigation Strategies

  • Upgrade filament/filament package to 4.11.5 (for v4.x) or 5.6.5 (for v5.x).
  • Increase the timebox_duration configuration in auth.php to exceed peak CPU hashing latencies.
  • Deploy web application rate limiting on the login route to block automated sequential timing tests.

Remediation Steps:

  1. Verify the current Filament version via 'composer show filament/filament'.
  2. Run 'composer update filament/filament' to apply the official security patch.
  3. Review 'config/auth.php' and adjust the 'timebox_duration' config variable based on production hardware constraints.
  4. Implement rate limit configurations at the web server (Nginx/Apache) or reverse proxy layer for the administrative login URI.

References

Read the full report for CVE-2026-48166 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)