Information Exposure Through Timing Discrepancy in otp - CVE-2026-48859
Published: July 2, 2026
otp
Detailed vulnerability description
The vulnerability allows a remote attacker to enumerate valid usernames.
The vulnerability exists due to observable timing discrepancy in ssh_auth:check_password/3 when processing SSH password authentication with the user_passwords option. A remote attacker can send a password authentication attempt to enumerate valid usernames.
Only systems using the user_passwords or password option for SSH daemon password authentication are vulnerable.