User Enumeration via Response Timing was discovered in heroiclabs/nakama through 3.15.0. There is a significant timing difference in the login functionality of the Nakama Console for valid and invalid email addresses or usernames. An attacker is able to identify valid email addresses and usernames. This could allow for further attacks such as brute force attacks on valid accounts.