CVE-2026-4045 Overview
A vulnerability has been identified in ProjectSend up to version r1945. The flaw exists within the file includes/Classes/Auth.php and involves an observable response discrepancy when processing the ldap_email argument. This information disclosure vulnerability can be exploited remotely, though the attack complexity is considered high. The vendor was contacted regarding this disclosure but did not respond.
Critical Impact
This vulnerability enables attackers to enumerate valid LDAP email addresses through timing or response differences, potentially facilitating targeted attacks against authenticated users.
Affected Products
- ProjectSend up to r1945
- ProjectSend installations using LDAP authentication
Discovery Timeline
- 2026-03-12 - CVE-2026-4045 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-4045
Vulnerability Analysis
This vulnerability is classified as CWE-203 (Observable Response Discrepancy), commonly known as a timing or response oracle attack. The flaw occurs in the authentication handling code within Auth.php, where the application reveals information about the validity of LDAP email addresses through observable differences in its responses.
When an attacker supplies different values to the ldap_email parameter, the application exhibits distinguishable behavior patterns that can be analyzed to determine whether a particular email address exists within the LDAP directory. This type of information leakage can be leveraged for user enumeration attacks, which serve as a precursor to more sophisticated attacks such as credential stuffing or targeted phishing campaigns.
The attack requires network access but is noted to have high complexity, meaning successful exploitation requires specific conditions or technical expertise. However, once mastered, this technique can be automated to systematically enumerate valid email addresses.
Root Cause
The root cause of this vulnerability lies in inconsistent response handling within the Auth.php authentication class. The application processes valid and invalid ldap_email values differently, creating observable side channels that leak information about the existence of user accounts in the LDAP directory.
Proper implementations should ensure constant-time comparisons and uniform response behaviors regardless of whether the supplied credentials reference a valid user, preventing attackers from distinguishing between valid and invalid enumeration attempts.
Attack Vector
The vulnerability can be exploited remotely via network access. An attacker would craft multiple authentication requests with varying ldap_email parameter values and analyze the responses for timing differences, error message variations, or other distinguishable behaviors.
The attack methodology typically involves:
- Sending authentication requests with suspected LDAP email addresses
- Measuring response times or analyzing response content
- Identifying patterns that differentiate valid from invalid email addresses
- Building a list of confirmed valid email addresses for subsequent attacks
For additional technical details, researchers can reference the VulDB entry #350657 and the shared documentation.
Detection Methods for CVE-2026-4045
Indicators of Compromise
- Unusual volume of authentication requests targeting the LDAP authentication endpoint
- Multiple failed authentication attempts with varying ldap_email values from a single IP address
- Automated scanning patterns against includes/Classes/Auth.php
- Sequential or dictionary-based email enumeration attempts in authentication logs
Detection Strategies
- Monitor authentication logs for anomalous patterns indicating enumeration attempts
- Implement rate limiting detection for authentication endpoints
- Deploy web application firewall rules to identify suspicious parameter manipulation
- Analyze HTTP response timing patterns for potential side-channel exploitation
Monitoring Recommendations
- Enable detailed logging for all authentication-related endpoints in ProjectSend
- Configure alerting for high volumes of authentication failures from single sources
- Monitor network traffic for automated scanning tools targeting the application
- Review access logs for patterns consistent with user enumeration attacks
How to Mitigate CVE-2026-4045
Immediate Actions Required
- Restrict network access to ProjectSend authentication endpoints where possible
- Implement rate limiting on authentication requests to slow enumeration attempts
- Deploy web application firewall rules to detect and block suspicious authentication patterns
- Consider disabling LDAP authentication temporarily if not critical to operations
Patch Information
As of the last update on 2026-03-12, the vendor has not provided a security patch for this vulnerability. The vendor was contacted early about this disclosure but did not respond. Users should monitor the official ProjectSend repository and security advisories for future updates. Additional information may be available through the VulDB CTI entry.
Workarounds
- Implement constant-time comparison functions in authentication code if source modification is possible
- Add CAPTCHA or additional challenge mechanisms to authentication endpoints
- Configure network-level access controls to limit exposure of the vulnerable endpoint
- Deploy intrusion prevention systems to detect and block enumeration attempts
- Consider implementing account lockout policies to mitigate enumeration effectiveness
# Example: Rate limiting authentication requests with iptables
# Limit connections to authentication endpoint to 10 per minute per IP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
