CVE-2026-44332
Received Received - Intake

BasicAuth Username Enumeration in Fiber Framework

Vulnerability report for CVE-2026-44332, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username enumeration through response timing differences. This issue is fixed in version 3.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gofiber fiber 3.3.0
gofiber fiber to 3.3.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability allows attackers to perform remote username enumeration without any privileges or user interaction by measuring response times during authentication attempts.

  • Attackers can identify valid usernames, which can be used to launch targeted brute force attacks.
  • Discovery of sensitive usernames may lead to further exploitation or social engineering attacks.

The severity is considered moderate with a CVSS score of 5.3, as the attack is remote and requires no user interaction.

Compliance Impact

CVE-2026-44332 allows remote attackers to reliably enumerate valid usernames through timing differences in the BasicAuth middleware of the Fiber web framework. This username enumeration vulnerability can lead to the disclosure of sensitive user information, which may increase the risk of targeted attacks and unauthorized access attempts.

Such exposure of user identity information can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and preventing unauthorized disclosure. By enabling attackers to identify valid usernames, this vulnerability could facilitate further attacks that compromise confidentiality and privacy obligations under these standards.

The vulnerability has a moderate severity (CVSS 5.3) and is fixed in Fiber version 3.3.0 by eliminating timing discrepancies during authentication attempts, thus reducing the risk of user enumeration and helping maintain compliance with security best practices required by common regulations.

Executive Summary

CVE-2026-44332 is a timing-based user enumeration vulnerability in the BasicAuth middleware of the Fiber web framework, which is written in Go. The issue arises because the default Authorizer function uses short-circuit evaluation that skips password hash comparison for usernames that do not exist. This causes a measurable difference in response times between valid and invalid usernames.

Attackers can exploit this timing difference to reliably determine which usernames exist on the system by measuring how long authentication attempts take. The vulnerability affects Fiber versions prior to 3.3.0 and is fixed by always performing a password hash verification, even for unknown usernames, using a dummy verifier function to eliminate timing discrepancies.

Detection Guidance

This vulnerability can be detected by observing timing differences in authentication responses when attempting to authenticate with valid versus invalid usernames. Specifically, an attacker can measure response latency differences that are approximately 1,000,000 times slower for valid users (~100ms) compared to invalid users (~100ns).

To detect this on your system or network, you can perform repeated authentication attempts against the BasicAuth middleware of the Fiber web framework and measure the response times for different usernames. Significant timing discrepancies indicate the presence of the vulnerability.

While no explicit commands are provided in the resources, a practical approach involves using tools like curl or custom scripts to send authentication requests and measure response times. For example, using curl with time measurement:

  • curl -w "%{time_total}\n" -u validuser:password -o /dev/null -s http://target/resource
  • curl -w "%{time_total}\n" -u invaliduser:password -o /dev/null -s http://target/resource

Comparing the output times for valid and invalid usernames can reveal timing differences indicative of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade the Fiber web framework to version 3.3.0 or later, where this vulnerability has been fixed.

The fix involves updating the BasicAuth middleware to always perform a dummy password hash verification for unknown usernames, eliminating timing discrepancies that allow username enumeration.

If upgrading immediately is not possible, consider implementing additional rate limiting or monitoring on authentication attempts to reduce the risk of timing-based enumeration attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44332. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart