CVE-2026-40263: Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel

April 13, 2026 (updated April 24, 2026)

A timing side-channel in the login endpoint allows unauthenticated attackers to determine whether a username exists by measuring response time differences. Requests for valid usernames take noticeably longer because the server performs bcrypt password verification, while requests for nonexistent usernames return much faster. This enables reliable remote username enumeration and increases the risk of targeted credential attacks.

References

github.com/advisories/GHSA-w6m9-39cv-2fwp
github.com/enchant97/note-mark
github.com/enchant97/note-mark/commit/cf4c6f6acf70b569d80396d323b067c00d45c034
github.com/enchant97/note-mark/security/advisories/GHSA-w6m9-39cv-2fwp
nvd.nist.gov/vuln/detail/CVE-2026-40263

Code Behaviors & Features

Detect and mitigate CVE-2026-40263 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →