CVE-2026-32595

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/traefik/traefik/releases/tag/v2.11.41	Release Notes
https://github.com/traefik/traefik/releases/tag/v3.6.11	Release Notes
https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2	Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:traefik:traefik::::::::
	cpe:2.3:a:traefik:traefik::::::::
	cpe:2.3:a:traefik:traefik:3.7.0:ea1::::::

History

No history.

Information

Published : 2026-03-20 11:18

Updated : 2026-03-24 15:14

NVD link : CVE-2026-32595

Mitre link : CVE-2026-32595

CVE.ORG link : CVE-2026-32595

JSON object : View

Products Affected

traefik

traefik

CWE

CWE-208

Observable Timing Discrepancy

{"id": "CVE-2026-32595", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T11:18:02.537", "references": [{"url": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-208"}]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y un balanceador de carga. Las versiones 2.11.40 e inferiores, 3.0.0-beta1 hasta 3.6.11, y 3.7.0-ea.1 contienen un middleware BasicAuth que permite la enumeraci\u00f3n de nombres de usuario mediante un ataque de temporizaci\u00f3n. Cuando un nombre de usuario enviado existe, el middleware realiza una comparaci\u00f3n de contrase\u00f1as bcrypt que tarda aproximadamente 166 ms. Cuando el nombre de usuario no existe, la respuesta se devuelve inmediatamente en aproximadamente 0.6 ms. Esta diferencia de temporizaci\u00f3n de aproximadamente 298x es observable a trav\u00e9s de la red y permite a un atacante no autenticado distinguir de forma fiable los nombres de usuario v\u00e1lidos de los no v\u00e1lidos. Este problema est\u00e1 parcheado en las versiones 2.11.41, 3.6.11 y 3.7.0-ea.2."}], "lastModified": "2026-03-24T15:14:24.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "440A1D58-1FFD-408A-A6B0-25E23F5C24AF", "versionEndExcluding": "2.11.41"}, {"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90620FAD-4F72-465E-A744-D62559C92F18", "versionEndIncluding": "3.6.11", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7881B288-5141-4508-AB71-3F7586168437"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}