Probably, but note that cross-domain GET-requests have been supported since the beginning of the web, since this is literally how links works.

So while a badly implemented GET handler can indeed cause security issues, this is old news and unrelated to CORS.

(Besides, why measure response times? Can’t you just check if api/users?name=john returns a resource or a 404 not found?)