CVE-2026-32595

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Traefik versions 2.11.40 and below Traefik versions 3.0.0-beta1 through 3.6.11 Traefik version 3.7.0-ea.1

Description Traefik’s BasicAuth middleware has a flaw that allows an unauthenticated attacker to enumerate valid usernames through a timing attack. When a valid username is submitted, the middleware performs a bcrypt password comparison, taking approximately 166 milliseconds. If the username is invalid, the response is returned immediately in about 0.6 milliseconds. This approximately 298-times timing difference is observable over the network, enabling an attacker to reliably identify valid usernames.

Recommendations Update to Traefik version 2.11.41 or later. Update to Traefik version 3.6.11 or later. Update to Traefik version 3.7.0-ea.2 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-208

Related Identifiers

CVE-2026-32595

GHSA-G3HG-J4JV-CWFR

GO-2026-4792

OPENSUSE-SU-2026:10444-1

OPENSUSE-SU-2026:10445-1

SUSE-SU-2026:1135-1

Affected Products

Traefik

CVE-2026-32595

Weakness Enumeration

Related Identifiers

Affected Products

References · 155