CVE-2025-46736: 
C# vulnerability analysis and mitigation

CVE-2025-46736 affects Umbraco, a free and open source .NET content management system. The vulnerability was discovered and disclosed on May 6, 2025, affecting versions prior to 10.8.10 and 13.8.1. The issue allows attackers to determine whether a user account exists by analyzing the timing of post-login API responses (GitHub Advisory, NVD).

The vulnerability is classified as an Observable Response Discrepancy (CWE-204). It has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating it is network accessible, requires low complexity to exploit, and impacts confidentiality. The issue stems from timing differences in the login API responses that could reveal whether a user account exists in the system (GitHub Advisory, Wiz).

The vulnerability allows attackers to enumerate valid user accounts in the system by analyzing the timing differences in login API responses. This information disclosure could be used as a stepping stone for further attacks like brute force attempts or targeted phishing campaigns (GitHub Advisory).

The vulnerability has been patched in Umbraco versions 10.8.10 and 13.8.1. The fix includes implementing consistent response timing for login attempts regardless of whether an account exists or not, and adding randomness to the login duration to prevent timing analysis. No workarounds are available for unpatched versions (GitHub Commit).