CVE-2026-25222

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/polarnl/PolarLearn/commit/6c276855172c7310cce0df996cb47ffe0d886741	Patch
https://github.com/polarnl/PolarLearn/security/advisories/GHSA-wcr9-mvr9-4qh5	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:polarlearn:polarlearn:-:*:*:*:*:*:*:*

History

20 Feb 2026, 20:48

Type	Values Removed	Values Added
First Time		Polarlearn Polarlearn polarlearn
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
Summary		(es) PolarLearn es un programa de aprendizaje gratuito y de código abierto. En 0-PRERELEASE-15 y versiones anteriores, una vulnerabilidad de ataque de temporización en el proceso de inicio de sesión permite a atacantes no autenticados determinar si una dirección de correo electrónico específica está registrada en la plataforma. Al medir el tiempo de respuesta del endpoint de inicio de sesión, un atacante puede distinguir entre direcciones de correo electrónico válidas e inválidas. Esto ocurre porque el servidor solo realiza el hash de contraseña Argon2, que es computacionalmente costoso, si el usuario existe en la base de datos. Las solicitudes para usuarios existentes tardan significativamente más tiempo (~650ms) que las solicitudes para usuarios no existentes (~160ms).
CPE		cpe:2.3:a:polarlearn:polarlearn:-:::::::*
References	~~() https://github.com/polarnl/PolarLearn/commit/6c276855172c7310cce0df996cb47ffe0d886741 -~~	() https://github.com/polarnl/PolarLearn/commit/6c276855172c7310cce0df996cb47ffe0d886741 - Patch
References	~~() https://github.com/polarnl/PolarLearn/security/advisories/GHSA-wcr9-mvr9-4qh5 -~~	() https://github.com/polarnl/PolarLearn/security/advisories/GHSA-wcr9-mvr9-4qh5 - Exploit, Vendor Advisory

02 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-02 23:16

Updated : 2026-02-20 20:48

NVD link : CVE-2026-25222

Mitre link : CVE-2026-25222

CVE.ORG link : CVE-2026-25222

JSON object : View

Products Affected

polarlearn

polarlearn

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

7.5 /10