CVE-2026-23892: OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication
(updated )
OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network.
Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character.
References
- github.com/OctoPrint/OctoPrint
- github.com/OctoPrint/OctoPrint/commit/249fd80ab01bc4b7dabedff768230a0fb5d01a8c
- github.com/OctoPrint/OctoPrint/releases/tag/1.11.6
- github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xg4x-w2j3-57h6
- github.com/advisories/GHSA-xg4x-w2j3-57h6
- nvd.nist.gov/vuln/detail/CVE-2026-23892
Code Behaviors & Features
Detect and mitigate CVE-2026-23892 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →