CVE-2026-32595
Timing Attack Enables Username Enumeration in Traefik BasicAuth
Publication date: 2026-03-20
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traefik | traefik | to 2.11.41 (exc) |
| traefik | traefik | From 3.0.0 (inc) to 3.6.11 (inc) |
| traefik | traefik | 3.7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability exists in Traefik's BasicAuth middleware, which is used for HTTP authentication. The issue is a timing attack that allows an attacker to determine whether a username exists by measuring how long the system takes to respond."}, {'type': 'paragraph', 'content': 'When a username exists, the middleware performs a bcrypt password comparison that takes about 166 milliseconds. When the username does not exist, the response is returned almost immediately, in about 0.6 milliseconds. This large timing difference (approximately 298 times) can be observed remotely over the network.'}, {'type': 'paragraph', 'content': 'Because of this timing discrepancy, an unauthenticated attacker can reliably distinguish valid usernames from invalid ones, effectively enumerating usernames. The root cause is that the middleware does not perform a dummy bcrypt comparison for non-existent users, breaking the principle of constant-time execution.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an unauthenticated attacker to enumerate valid usernames on systems using Traefik's BasicAuth middleware. By knowing valid usernames, attackers can focus password brute-force or other targeted attacks on confirmed accounts."}, {'type': 'paragraph', 'content': 'The attack requires only sending HTTP requests and measuring response times, making it low complexity and feasible over the network without any privileges or user interaction.'}, {'type': 'paragraph', 'content': 'While the vulnerability does not directly compromise confidentiality, integrity, or availability of the system, it discloses sensitive information about user existence, which can be leveraged in further attacks.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by measuring the response times of authentication attempts with different usernames against the Traefik BasicAuth middleware.'}, {'type': 'paragraph', 'content': 'An attacker or tester can send multiple HTTP requests with various usernames and observe the timing differences in the responses.'}, {'type': 'paragraph', 'content': 'Valid usernames cause the middleware to perform a bcrypt password comparison taking approximately 166 milliseconds, while invalid usernames return almost immediately in about 0.6 milliseconds.'}, {'type': 'paragraph', 'content': 'A practical detection method involves scripting HTTP requests to the protected endpoint and measuring median response times to distinguish valid from invalid usernames.'}, {'type': 'paragraph', 'content': 'For example, using a command-line tool like curl in a loop combined with timing measurements or a Python script to automate requests and calculate response time medians can reveal the timing discrepancy.'}, {'type': 'list_item', 'content': 'Use curl with time measurement: curl -w "%{time_total}\\n" -o /dev/null -s -u username:password https://target.example.com/protected'}, {'type': 'list_item', 'content': 'Automate multiple requests with different usernames and compare the average or median response times.'}, {'type': 'list_item', 'content': 'A Python script can be used to send HTTP requests and measure response times precisely to detect the timing difference.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Traefik to a patched version where this vulnerability is fixed.
Specifically, upgrade to Traefik versions 2.11.41, 3.6.11, or 3.7.0-ea.2 or later, which include the fix that ensures bcrypt password comparisons are performed regardless of username validity to equalize response times.
Until the upgrade can be applied, consider restricting network access to the BasicAuth-protected endpoints to trusted sources only, to reduce the risk of remote timing attacks.
Monitor authentication logs for suspicious repeated attempts that might indicate username enumeration attempts.