CVE-2026-32595
Received Received - Intake
Timing Attack Enables Username Enumeration in Traefik BasicAuth

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32595
EUVD
EUVD-2026-13664
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
traefik traefik to 2.11.41 (exc)
traefik traefik From 3.0.0 (inc) to 3.6.11 (inc)
traefik traefik 3.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in Traefik's BasicAuth middleware, which is used for HTTP authentication. The issue is a timing attack that allows an attacker to determine whether a username exists by measuring how long the system takes to respond."}, {'type': 'paragraph', 'content': 'When a username exists, the middleware performs a bcrypt password comparison that takes about 166 milliseconds. When the username does not exist, the response is returned almost immediately, in about 0.6 milliseconds. This large timing difference (approximately 298 times) can be observed remotely over the network.'}, {'type': 'paragraph', 'content': 'Because of this timing discrepancy, an unauthenticated attacker can reliably distinguish valid usernames from invalid ones, effectively enumerating usernames. The root cause is that the middleware does not perform a dummy bcrypt comparison for non-existent users, breaking the principle of constant-time execution.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an unauthenticated attacker to enumerate valid usernames on systems using Traefik's BasicAuth middleware. By knowing valid usernames, attackers can focus password brute-force or other targeted attacks on confirmed accounts."}, {'type': 'paragraph', 'content': 'The attack requires only sending HTTP requests and measuring response times, making it low complexity and feasible over the network without any privileges or user interaction.'}, {'type': 'paragraph', 'content': 'While the vulnerability does not directly compromise confidentiality, integrity, or availability of the system, it discloses sensitive information about user existence, which can be leveraged in further attacks.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by measuring the response times of authentication attempts with different usernames against the Traefik BasicAuth middleware.'}, {'type': 'paragraph', 'content': 'An attacker or tester can send multiple HTTP requests with various usernames and observe the timing differences in the responses.'}, {'type': 'paragraph', 'content': 'Valid usernames cause the middleware to perform a bcrypt password comparison taking approximately 166 milliseconds, while invalid usernames return almost immediately in about 0.6 milliseconds.'}, {'type': 'paragraph', 'content': 'A practical detection method involves scripting HTTP requests to the protected endpoint and measuring median response times to distinguish valid from invalid usernames.'}, {'type': 'paragraph', 'content': 'For example, using a command-line tool like curl in a loop combined with timing measurements or a Python script to automate requests and calculate response time medians can reveal the timing discrepancy.'}, {'type': 'list_item', 'content': 'Use curl with time measurement: curl -w "%{time_total}\\n" -o /dev/null -s -u username:password https://target.example.com/protected'}, {'type': 'list_item', 'content': 'Automate multiple requests with different usernames and compare the average or median response times.'}, {'type': 'list_item', 'content': 'A Python script can be used to send HTTP requests and measure response times precisely to detect the timing difference.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Traefik to a patched version where this vulnerability is fixed.

Specifically, upgrade to Traefik versions 2.11.41, 3.6.11, or 3.7.0-ea.2 or later, which include the fix that ensures bcrypt password comparisons are performed regardless of username validity to equalize response times.

Until the upgrade can be applied, consider restricting network access to the BasicAuth-protected endpoints to trusted sources only, to reduce the risk of remote timing attacks.

Monitor authentication logs for suspicious repeated attempts that might indicate username enumeration attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32595. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart