Description

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). When an invalid username/email is provided, the server responds immediately (~17ms average). When a valid username/email is provided with an incorrect password, the server first performs a bcrypt.compareSync() operation (~74ms average) before responding. This ~4.4× timing difference is trivially detectable even over a network — a single request suffices. This vulnerability is fixed in 3.3.5.

INFO

Published Date :

2026-04-24T18:49:38.599Z

Last Modified :

2026-04-24T19:59:10.069Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41418 vulnerability.

Vendors Products
Rargames
  • 4gaboards
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41418.

URL Resource
https://github.com/RARgames/4gaBoards/security/advisories/GHSA-8mj9-p99h-jhxp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact