{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32595", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T14:54:24.268Z", "datePublished": "2026-03-20T10:08:41.636Z", "dateUpdated": "2026-03-20T15:38:35.378Z"}, "containers": {"cna": {"title": "Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration", "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 2.11.41", "status": "affected"}, {"version": ">= 3.0.0-beta1, < 3.6.11", "status": "affected"}, {"version": ">= 3.7.0-ea.1, < 3.7.0-ea.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:08:41.636Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}], "source": {"advisory": "GHSA-g3hg-j4jv-cwfr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:38:09.554987Z", "id": "CVE-2026-32595", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:38:35.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32595", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:38:09.554987Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:38:28.829Z"}}], "cna": {"title": "Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration", "source": {"advisory": "GHSA-g3hg-j4jv-cwfr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 2.11.41"}, {"status": "affected", "version": ">= 3.0.0-beta1, < 3.6.11"}, {"status": "affected", "version": ">= 3.7.0-ea.1, < 3.7.0-ea.2"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "name": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:08:41.636Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32595", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:38:35.378Z", "dateReserved": "2026-03-12T14:54:24.268Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T10:08:41.636Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "440A1D58-1FFD-408A-A6B0-25E23F5C24AF", "versionEndExcluding": "2.11.41", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "90620FAD-4F72-465E-A744-D62559C92F18", "versionEndIncluding": "3.6.11", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*", "matchCriteriaId": "7881B288-5141-4508-AB71-3F7586168437", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y un balanceador de carga. Las versiones 2.11.40 e inferiores, 3.0.0-beta1 hasta 3.6.11, y 3.7.0-ea.1 contienen un middleware BasicAuth que permite la enumeraci\u00f3n de nombres de usuario mediante un ataque de temporizaci\u00f3n. Cuando un nombre de usuario enviado existe, el middleware realiza una comparaci\u00f3n de contrase\u00f1as bcrypt que tarda aproximadamente 166 ms. Cuando el nombre de usuario no existe, la respuesta se devuelve inmediatamente en aproximadamente 0.6 ms. Esta diferencia de temporizaci\u00f3n de aproximadamente 298x es observable a trav\u00e9s de la red y permite a un atacante no autenticado distinguir de forma fiable los nombres de usuario v\u00e1lidos de los no v\u00e1lidos. Este problema est\u00e1 parcheado en las versiones 2.11.41, 3.6.11 y 3.7.0-ea.2."}], "id": "CVE-2026-32595", "lastModified": "2026-03-24T15:14:24.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T11:18:02.537", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "traefik: Traefik: Username enumeration via timing attack in BasicAuth middleware", "id": "2449591", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449591"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-208", "details": ["A flaw was found in Traefik. An unauthenticated attacker can exploit a timing attack vulnerability in the BasicAuth middleware. By observing the time it takes for the middleware to respond, an attacker can determine if a submitted username is valid or not. This information disclosure allows for username enumeration."], "mitigation": {"lang": "en:us", "value": "To mitigate the risk of username enumeration, restrict network access to the Traefik instance using firewall rules or network policies, allowing connections only from trusted sources. If BasicAuth is not strictly required, consider disabling or removing the BasicAuth middleware configuration."}, "name": "CVE-2026-32595", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-03-20T10:08:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32595\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32595\nhttps://github.com/traefik/traefik/releases/tag/v2.11.41\nhttps://github.com/traefik/traefik/releases/tag/v3.6.11\nhttps://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\nhttps://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr"], "statement": "MODERATE. The vulnerability in Traefik's BasicAuth middleware allows an unauthenticated attacker to perform username enumeration through a timing attack. By observing response times, an attacker can distinguish valid usernames from invalid ones. This information disclosure could aid in further targeted attacks against Red Hat OpenShift Dev Spaces deployments utilizing Traefik with BasicAuth.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.41)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0-beta1,3.6.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.7.0-ea.1,3.7.0-ea.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "traefik", "source": "cna", "vendor": "traefik"}, "product": "traefik", "vendor": "traefik"}], "analysis": {"en": {"generated_at": "2026-03-20T11:50:31.038157+00:00", "value": {"mitigation_remediation": ["Apply the patched Traefik release 2.11.41 or later, 3.6.11 or later, or 3.7.0\u2011ea.2 or newer \u2013 this is the vendor's official mitigation.", "Disable or restrict access to the BasicAuth middleware on publicly exposed routes as a temporary containment measure if a patch cannot be applied immediately."], "summary": {"action": "Patch", "impact": "Username Enumeration"}, "threat_synthesis": {"affected_systems": "Affected versions include Traefik 2.11.40 and earlier, 3.0.0\u2011beta1 through 3.6.11, and 3.7.0\u2011ea.1. The issue is resolved in 2.11.41, 3.6.11, and 3.7.0\u2011ea.2 or newer releases.", "description_and_impact": "Traefik, an HTTP reverse proxy and load balancer, contains a timing vulnerability in its BasicAuth middleware that permits an unauthenticated attacker to determine whether a username is valid. When a supplied username exists, the middleware performs a bcrypt comparison that takes approximately 166\u202fms; if the username is absent, the response returns almost immediately in about 0.6\u202fms. The resulting ~298\u00d7 difference in response time is observable over the network and allows reliable enumeration of usernames. This weakness is identified as CWE\u2011208 and can facilitate subsequent credential\u2011guessing or brute\u2011force attacks, undermining account confidentiality.", "risk_and_exploitability": "The CVSS score is 6.3, indicating moderate to high impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is network\u2011based: an attacker can interact with the BasicAuth middleware and measure response times to identify valid usernames, making exploitation likely for adversaries with network access to the service endpoints."}}}}, "created": "2026-03-20T14:13:47.086984+00:00", "updated": "2026-03-20T16:27:24.697512+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"]}