CVE-2026-41263

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.43 Traefik versions prior to 3.6.14 Traefik versions prior to 3.7.0-rc.2

Description A timing side-channel issue exists in the BasicAuth middleware. A variable meant to provide a constant-time fallback secret consistently resolves to an empty string, which causes the constant-time comparison to short-circuit quickly instead of completing a full bcrypt evaluation. This creates a timing oracle, allowing an attacker to enumerate valid usernames by measuring differences in authentication response times.

Recommendations Update to version 2.11.43 Update to version 3.6.14 Update to version 3.7.0-rc.2

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-208

Related Identifiers

CVE-2026-41263

GHSA-6X2Q-H3CR-8J2H

OPENSUSE-SU-2026:10697-1

OPENSUSE-SU-2026:10698-1

Affected Products

Traefik

CVE-2026-41263

Weakness Enumeration

Related Identifiers

Affected Products

References · 17