CVE-2026-41263
Timing Side-Channel in Traefik BasicAuth Middleware
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traefik | traefik | 3.7.0 |
| traefik | traefik | 3.7.0 |
| traefik | traefik | to 2.11.43 (exc) |
| traefik | traefik | From 3.0.0 (inc) to 3.6.14 (exc) |
| traefik | traefik | 3.7.0 |
| traefik | traefik | 3.7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Traefik's BasicAuth middleware prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2. It is a timing side-channel vulnerability that allows an attacker to enumerate valid usernames by measuring differences in response times during authentication.
The issue arises because the variable intended to hold a constant-time fallback secret is actually an empty string. This causes the constant-time comparison to short-circuit very quickly instead of performing a full bcrypt evaluation, which would normally take longer.
As a result, attackers can distinguish between existing and non-existing users by observing how long the authentication response takes, effectively restoring the timing oracle that the constant-time comparison was supposed to prevent.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to enumerate valid usernames on your system using Traefik's BasicAuth middleware.
Knowing valid usernames is often a first step in targeted attacks such as brute force password attempts or social engineering, potentially leading to unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Traefik to one of the patched versions: 2.11.43, 3.6.14, or 3.7.0-rc.2.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to enumerate valid usernames through timing side-channel attacks in Traefik's BasicAuth middleware. While this can expose user existence information, the impact on system confidentiality is low and it does not directly affect data integrity or availability.
There is no explicit information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by measuring the response times of authentication attempts against the Traefik BasicAuth middleware. An attacker can enumerate valid usernames by observing differences in response times between valid and invalid usernames due to the timing side-channel.
To detect this on your system, you can perform repeated authentication requests with different usernames and measure the response times. Significant timing differences may indicate the presence of the vulnerability.
Example commands using curl and time measurement in a Unix-like shell might include:
- Use curl to send authentication requests and measure time: `time curl -u username:password http://your-traefik-endpoint`
- Automate multiple requests with different usernames and record response times to compare them.
- Analyze the timing data to identify statistically significant differences that could reveal valid usernames.