diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6cf2adc67..cd3d93c5b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 - fset: remove error displayed in core buffer when clicking with the mouse below the last option displayed
 - relay: limit size of decompressed websocket frame with permessage-deflate to prevent memory exhaustion ([GHSA-v2v4-45wm-5cr3](https://github.com/weechat/weechat/security/advisories/GHSA-v2v4-45wm-5cr3))
 - relay: fix timing attack on password authentication ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc))
+- api, relay: fix timing attack on TOTP validation ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc))
 
 ## Version 4.9.0 (2026-03-29)
 
diff --git a/src/core/core-crypto.c b/src/core/core-crypto.c
index fbda128e6..a4f3fd26b 100644
--- a/src/core/core-crypto.c
+++ b/src/core/core-crypto.c
@@ -660,15 +660,18 @@ weecrypto_totp_validate (const char *secret_base32, time_t totp_time,
 
     otp_ok = 0;
 
+    /*
+     * Compare in constant time and never break early: a non-constant
+     * compare and an early exit on match would let an observer measure
+     * how many digits of the expected OTP they got right and which
+     * time-window offset matched.
+     */
     for (i = moving_factor - window; i <= moving_factor + window; i++)
     {
         rc = weecrypto_totp_generate_internal (secret, length_secret,
                                                i, digits, str_otp);
-        if (rc && (strcmp (str_otp, otp) == 0))
-        {
+        if (rc && (string_memcmp_constant_time (str_otp, otp, digits) == 0))
             otp_ok = 1;
-            break;
-        }
     }
 
     free (secret);