CVE-2026-41571: Go Bcrypt Empty Password Placeholder Auth Bypass
Authentication function compares the supplied plaintext against a placeholder bcrypt hash when the user's stored password is empty (a CWE-208 timing-attack mitigation), but the success guard only checks `err == nil` without also requiring that the stored password is non-empty. An unauthenticated attacker who submits the plaintext that matches the placeholder
greprules fetch cve-2026-41571-go-bcrypt-empty-password-placeholder-auth-bypass --engine opengrepDescription
Authentication function compares the supplied plaintext against a placeholder bcrypt hash when the user's stored password is empty (a CWE-208 timing-attack mitigation), but the success guard only checks `err == nil` without also requiring that the stored password is non-empty. An unauthenticated attacker who submits the plaintext that matches the placeholder
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.