Vulnerability in Vendurehq Vendure

CVE-2026-25050

Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). I…

EPSS: 0.000 (6.1th percentile) — read the EPSS interpretation.

Affected products

Vendurehq Vendure — versions < 3.5.3

Weakness classification (CWE)

CWE-202

References

https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch (x_refsource_CONFIRM)
https://github.com/vendurehq/vendure/releases/tag/v3.5.3 (x_refsource_MISC)