Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration
Description
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/traefik/traefikGo | <= 1.7.34 | — |
github.com/traefik/traefik/v2Go | < 2.11.41 | 2.11.41 |
github.com/traefik/traefik/v3Go | < 3.6.11 | 3.6.11 |
github.com/traefik/traefik/v3Go | >= 3.7.0-ea.1, < 3.7.0-ea.2 | 3.7.0-ea.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-g3hg-j4jv-cwfrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32595ghsaADVISORY
- github.com/traefik/traefik/releases/tag/v2.11.41ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.6.11ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.7.0-ea.2ghsax_refsource_MISCWEB
- github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.