{"uuid": "7686756a-f0ae-44e1-80c2-4e1c9aefdece", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48166", "type": "seen", "source": "https://gist.github.com/alon710/0cc6180222e375f03b77f1081a3811f5", "content": "# CVE-2026-48166: CVE-2026-48166: Timing-Based User Enumeration on Login Page in Filament\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-23\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48166\n\n## Summary\nAn observable timing discrepancy vulnerability (CWE-208) in Filament's administrative login page allows unauthenticated remote attackers to determine the existence of registered email addresses. This timing side-channel arises from short-circuiting logic that skips expensive password hashing checks when a queried email address is not found in the database. Attackers can execute statistical timing attacks to map active administrator accounts, facilitating subsequent targeted brute-force or credential-stuffing campaigns.\n\n## TL;DR\nA timing-based user enumeration vulnerability in Filament login pages allows unauthenticated remote attackers to identify valid registered email addresses due to a short-circuiting logic flaw in the authentication mechanism.\n\n## Technical Details\n\n- **CWE ID**: CWE-208\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 5.3 (Medium)\n- **EPSS Score**: 0.0021\n- **Exploit Status**: None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- filament/filament\n- Filament Panels\n- Filament Auth Page\n- **filament/filament**: >= 4.0.0, < 4.11.5 (Fixed in: `4.11.5`)\n- **filament/filament**: >= 5.0.0, < 5.6.5 (Fixed in: `5.6.5`)\n\n## Mitigation\n\n- Upgrade filament/filament package to 4.11.5 (for v4.x) or 5.6.5 (for v5.x).\n- Increase the timebox_duration configuration in auth.php to exceed peak CPU hashing latencies.\n- Deploy web application rate limiting on the login route to block automated sequential timing tests.\n\n**Remediation Steps:**\n1. Verify the current Filament version via 'composer show filament/filament'.\n2. Run 'composer update filament/filament' to apply the official security patch.\n3. Review 'config/auth.php' and adjust the 'timebox_duration' config variable based on production hardware constraints.\n4. Implement rate limit configurations at the web server (Nginx/Apache) or reverse proxy layer for the administrative login URI.\n\n## References\n\n- [GHSA-5w46-g9pq-wh6f: Timing-Based User Enumeration on Login Page in Filament](https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f)\n- [Fix Commit 33a9f576efb0d43372607487aebd17eae4315f1f](https://github.com/filamentphp/filament/commit/33a9f576efb0d43372607487aebd17eae4315f1f)\n- [CVE-2026-48166 on CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-48166)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48166) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T07:42:24.000000Z"}