CVE-2026-25597 Overview
CVE-2026-25597 is a time-based user enumeration vulnerability in PrestaShop, an open source e-commerce web application. The flaw resides in the customer authentication functionality of versions prior to 8.2.4 and 9.0.3. An unauthenticated attacker can determine whether a customer account exists by measuring server response times during login attempts. The issue is classified under CWE-208 (Observable Timing Discrepancy). PrestaShop addressed the vulnerability in releases 8.2.4 and 9.0.3.
Critical Impact
Attackers can build a validated list of registered customer email addresses without authentication, enabling targeted phishing, credential stuffing, and account takeover campaigns against PrestaShop storefronts.
Affected Products
- PrestaShop versions prior to 8.2.4 (8.x branch)
- PrestaShop versions prior to 9.0.3 (9.x branch)
- PrestaShop customer authentication module
Discovery Timeline
- 2026-02-06 - CVE-2026-25597 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-25597
Vulnerability Analysis
The vulnerability is a side-channel weakness in PrestaShop's customer login flow. When a user submits credentials, the application takes measurably different amounts of time to respond depending on whether the supplied email corresponds to an existing account. Authentication for valid accounts triggers password hashing and additional database operations, while non-existent accounts short-circuit earlier in the flow. An attacker who automates login attempts and records response latency can distinguish registered customers from non-registered email addresses with high reliability. This category of weakness is tracked as CWE-208: Observable Timing Discrepancy.
Root Cause
The authentication routine does not enforce a constant-time response path between the "account does not exist" and "account exists but password is wrong" branches. Password verification routines such as bcrypt are computationally expensive, so executing them only on the existing-account branch creates a deterministic time delta. The fix in 8.2.4 and 9.0.3 normalizes the timing behavior of both code paths, as described in the PrestaShop security advisory GHSA-67v7-3g49-mxh2.
Attack Vector
The vulnerability is reachable over the network without authentication or user interaction. An attacker scripts repeated POST requests to the PrestaShop customer login endpoint using candidate email addresses paired with an arbitrary password. By statistically comparing response times across many samples, the attacker classifies each email as either registered or unregistered. The harvested list of valid accounts then feeds downstream attacks, including credential stuffing against reused passwords, targeted phishing, and password reset abuse. Exploitation does not require any privileged access or social engineering against legitimate users.
Detection Methods for CVE-2026-25597
Indicators of Compromise
- High-volume POST requests to the PrestaShop customer authentication endpoint originating from a small set of source IP addresses.
- Repeated authentication attempts iterating across many distinct email addresses with a single static or randomized password value.
- Login traffic patterns where request rates exceed typical human behavior, particularly with consistent timing intervals.
- Authentication logs showing systematic enumeration of email addresses without successful logins.
Detection Strategies
- Deploy web application firewall rules that track login request rate and unique email cardinality per source IP over short time windows.
- Correlate authentication telemetry to flag clients that submit many distinct usernames with low success rates.
- Instrument the login endpoint with timing metrics to identify automated probing that closely measures response latency.
- Monitor for user-agent strings, TLS fingerprints, or header patterns associated with scripted HTTP clients.
Monitoring Recommendations
- Forward PrestaShop access logs and authentication events to a centralized SIEM for correlation and retention.
- Alert on bursts of failed authentication attempts grouped by source IP, autonomous system, or geolocation.
- Track baseline response-time distributions for the login endpoint and alert on anomalous query volume from individual clients.
How to Mitigate CVE-2026-25597
Immediate Actions Required
- Upgrade PrestaShop to version 8.2.4 or 9.0.3 as released on the PrestaShop GitHub releases page.
- Inventory all PrestaShop deployments, including staging and development instances, to ensure full patch coverage.
- Review authentication logs for evidence of prior enumeration activity and notify potentially exposed customers if abuse is suspected.
- Enforce rate limiting on the customer login endpoint to slow automated probing while patching is scheduled.
Patch Information
PrestaShop published fixes in release 8.2.4 and release 9.0.3. Operators should follow the standard PrestaShop upgrade procedure and verify the running version after deployment. Full remediation details are documented in GitHub Security Advisory GHSA-67v7-3g49-mxh2.
Workarounds
- Place the storefront behind a web application firewall and apply strict rate limits on the customer login endpoint.
- Require CAPTCHA challenges after a small number of failed authentication attempts per source IP or session.
- Enable multi-factor authentication where supported to reduce the value of any enumerated account list.
- Restrict access to authentication endpoints by geolocation or known-good IP ranges where feasible.
# Configuration example: nginx rate limiting for the PrestaShop login endpoint
http {
limit_req_zone $binary_remote_addr zone=ps_login:10m rate=5r/m;
server {
location /index.php {
if ($arg_controller = "authentication") {
limit_req zone=ps_login burst=10 nodelay;
}
include fastcgi_params;
fastcgi_pass php-fpm;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
