CVE-2026-41263
Received Received - Intake
Timing Side-Channel in Traefik BasicAuth Middleware

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitHub, Inc.

Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41263
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
traefik traefik 3.7.0
traefik traefik 3.7.0
traefik traefik to 2.11.43 (exc)
traefik traefik From 3.0.0 (inc) to 3.6.14 (exc)
traefik traefik 3.7.0
traefik traefik 3.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by measuring the response times of authentication attempts against the Traefik BasicAuth middleware. An attacker can enumerate valid usernames by observing differences in response times between valid and invalid usernames due to the timing side-channel.

To detect this on your system, you can perform repeated authentication requests with different usernames and measure the response times. Significant timing differences may indicate the presence of the vulnerability.

Example commands using curl and time measurement in a Unix-like shell might include:

  • Use curl to send authentication requests and measure time: `time curl -u username:password http://your-traefik-endpoint`
  • Automate multiple requests with different usernames and record response times to compare them.
  • Analyze the timing data to identify statistically significant differences that could reveal valid usernames.
Executive Summary

This vulnerability exists in Traefik's BasicAuth middleware prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2. It is a timing side-channel vulnerability that allows an attacker to enumerate valid usernames by measuring differences in response times during authentication.

The issue arises because the variable intended to hold a constant-time fallback secret is actually an empty string. This causes the constant-time comparison to short-circuit very quickly instead of performing a full bcrypt evaluation, which would normally take longer.

As a result, attackers can distinguish between existing and non-existing users by observing how long the authentication response takes, effectively restoring the timing oracle that the constant-time comparison was supposed to prevent.

Impact Analysis

This vulnerability can impact you by allowing attackers to enumerate valid usernames on your system using Traefik's BasicAuth middleware.

Knowing valid usernames is often a first step in targeted attacks such as brute force password attempts or social engineering, potentially leading to unauthorized access.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Traefik to one of the patched versions: 2.11.43, 3.6.14, or 3.7.0-rc.2.

Compliance Impact

The vulnerability allows attackers to enumerate valid usernames through timing side-channel attacks in Traefik's BasicAuth middleware. While this can expose user existence information, the impact on system confidentiality is low and it does not directly affect data integrity or availability.

There is no explicit information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41263. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart