CVE-2026-32595

UNKNOWN 0.0

Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

10th

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

CWE	CWE-208
Vendor	traefik
Product	traefik
Published	Mar 20, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for traefik traefik

Be the first to know when new unknown vulnerabilities affecting traefik traefik are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

traefik / traefik

< 2.11.41 >= 3.0.0-beta1, < 3.6.11 >= 3.7.0-ea.1, < 3.7.0-ea.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr github.com: https://github.com/traefik/traefik/releases/tag/v2.11.41 github.com: https://github.com/traefik/traefik/releases/tag/v3.6.11 github.com: https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2