CVE-2026-41161
MEDIUMDescription
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0.
Is your site exposed to CVE-2026-41161?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| sync-in | sync-in_server |
References
Frequently Asked Questions
What is CVE-2026-41161? +
How severe is CVE-2026-41161? +
What products are affected by CVE-2026-41161? +
How do I check if I'm vulnerable to CVE-2026-41161? +
Related Vulnerabilities
Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. In versions 0.8.0b2 …
PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via …
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash …
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed …
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash …
SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned …