CVE-2026-41263

UNKNOWN 0.0

Traefik: BasicAuth middleware: timing side-channel vulnerability

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

CWE	CWE-208
Vendor	traefik
Product	traefik
Published	Apr 30, 2026

Stay Ahead of the Next One

Get instant alerts for traefik traefik

Be the first to know when new unknown vulnerabilities affecting traefik traefik are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

traefik / traefik

< 2.11.43 >= 3.0.0-beta1, < 3.6.14 >= 3.7.0-ea.1, < 3.7.0-rc.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h github.com: https://github.com/traefik/traefik/releases/tag/v2.11.43 github.com: https://github.com/traefik/traefik/releases/tag/v3.6.14 github.com: https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2