216.73.216.133

CVE-2026-32595

· Published 20/03/2026 11:18 · Modified 20/03/2026 13:37

Labels: CVE-2026-32595 2026-03-20CVE-2026-32595CWE-208[email protected]

Essential information

Published
20/03/2026 11:18
Modified
20/03/2026 13:37
Author
Creator
CVSS
6.3 MEDIUM (v3) 6.3 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
traefik / traefik cpe:2.3:a:traefik:traefik:2.11.40:*:*:*:*:*:*:*
traefik / traefik cpe:2.3:a:traefik:traefik:<3.0.0-beta1:3.6.11:*:*:*:*:*:*:*
traefik / traefik cpe:2.3:a:traefik:traefik:3.7.0-ea.1:*:*:*:*:*:*:*

References