WeeChat :: documentation

WeeChat

Overview: 1 vulnerability

WSA	Score	Severity	Issue	Vulnerability type	Scope	Versions	Fix	Release date
WSA-2026-2	7.4		Non-constant time password/hash comparison.	Observable Timing Discrepancy	API, Relay	0.3.4 → 4.9.0	4.9.1	May 31, 2026

WSA-2026-2: [API, Relay] Non-constant time password/hash comparison.

Vulnerability

CVE

Pending

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H (detail)

CVSS score

7.4 / 10

Severity

high

Vulnerability type

Observable Timing Discrepancy (detail)

Scope

API, Relay

Affected versions

0.3.4 → 4.9.0

Fixed version

4.9.1 (May 31, 2026) - ChangeLog

Tracker

GHSA-vhv8-g2r9-cwcc

Commits

Description

WeeChat uses non-constant time password/hash comparison in the Relay plugin and in TOTP validation.
This could allow an attacker to guess a password, a hash or a TOTP and bypass relay authentication.

Mitigation

There are multiple ways to mitigate this issue:

Rremove all relays, see: /help relay
Unload relay plugin with command: /plugin unload relay and see: /help weechat.plugin.autoload
Secure relay to allow only some trusted IP addresses, see: /help relay.network.allowed_ips

Credit

The issue was discovered by Tristan Madani (@TristanInSec) from Talence Security.