Timing Attack Vulnerability in PolarLearn Learning Program
CVE-2026-25222

6.3MEDIUM

Key Information:

Vendor: Polarnl
Status: Polarlearn
Vendor: CVE Published:; 2 February 2026

What is CVE-2026-25222?

PolarLearn, a free and open-source learning platform, has a vulnerability in its sign-in process that exposes registered email addresses. Attackers can exploit this timing attack by measuring the response time of login attempts to differentiate between valid and invalid email addresses. The server engages in a resource-intensive Argon2 password hashing operation only if a user account exists, thus revealing telltale delays in processing requests for valid accounts. This issue primarily affects PolarLearn versions up to 0-PRERELEASE-15, allowing unauthorized users to verify the presence of an email address within the system.

Affected Version(s)

PolarLearn <= 0-PRERELEASE-15

References

https://github.com/polarnl/PolarLearn/security/advisories...

x_refsource_CONFIRM

https://github.com/polarnl/PolarLearn/commit/6c276855172c...

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 2, 2026
Vulnerability Reserved
Jan 30, 2026

CVE-2026-25222 Data

JSON

Polarnl

What is CVE-2026-25222?

Affected Version(s)

References

CVSS V4

Timeline