cvedb.io
CVE-2026-23892
MEDIUM · CVSS 5.9
EPSS exploitation probability: 0%
Published 2026-01-27T19:16:16.027 · Last modified 2026-06-17T10:22:16.147

Summary

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this attack actually working is highly dependent on the network's latency,

Affected products

octoprint — octoprint

Does this affect you?

Add your gear to cvedb and we'll alert you only when octoprint ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.