CVE-2026-23892

CVE-2026-23892 is a medium-severity vulnerability in Octoprint with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-208.

Key facts

Description

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this attack actually working is highly dependent on the network's latency, noise and similar parameters. An actual proof of concept was not achieved so far. Still, as always administrators are advised to not expose their OctoPrint instance on hostile networks, especially not on the public Internet.

Frequently asked questions

What is CVE-2026-23892?
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this attack actually working is highly dependent on the network's latency, noise and similar parameters. An actual proof of concept was not achieved so far. Still, as always administrators are advised to not expose their OctoPrint instance on hostile networks, especially not on the public Internet.
How severe is CVE-2026-23892?
CVE-2026-23892 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2026-23892 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (38th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-23892?
CVE-2026-23892 affects Octoprint. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-23892?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-23892 have an EU (EUVD) identifier?
Yes. CVE-2026-23892 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-4775.
When was CVE-2026-23892 published?
CVE-2026-23892 was published on 2026-01-27 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Octoprint

All CVEs affecting Octoprint →

Other CWE-208 vulnerabilities

Browse all CWE-208 vulnerabilities →