MEDIUM 5.3

GHSA-5w46-g9pq-wh6f

Filament: Timing-based user enumeration on login page

Details

The login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / filament/filament

Introduced in: 4.0.0 Fixed in: 4.11.5

Fix composer require filament/filament:^4.11.5

Packagist / filament/filament

Introduced in: 5.0.0 Fixed in: 5.6.5

Fix composer require filament/filament:^5.6.5

References

https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-48166 [ADVISORY]
https://github.com/filamentphp/filament [PACKAGE]