CVE-2026-32595

EUVD-2026-13664

20.03.2026, 11:18

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.7 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
traefik	traefik	𝑥 < 2.11.41
traefik	traefik	3.0.0 ≤ 𝑥 ≤ 3.6.11
traefik	traefik	3.7.0:ea1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-208 - Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

https://github.com/traefik/traefik/releases/tag/v2.11.41

https://github.com/traefik/traefik/releases/tag/v3.6.11

https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2

https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr