{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32595", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T14:54:24.268Z", "datePublished": "2026-03-20T10:08:41.636Z", "dateUpdated": "2026-03-20T15:38:35.378Z"}, "containers": {"cna": {"title": "Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration", "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 2.11.41", "status": "affected"}, {"version": ">= 3.0.0-beta1, < 3.6.11", "status": "affected"}, {"version": ">= 3.7.0-ea.1, < 3.7.0-ea.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:08:41.636Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}], "source": {"advisory": "GHSA-g3hg-j4jv-cwfr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:38:09.554987Z", "id": "CVE-2026-32595", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:38:35.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32595", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:38:09.554987Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:38:28.829Z"}}], "cna": {"title": "Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration", "source": {"advisory": "GHSA-g3hg-j4jv-cwfr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 2.11.41"}, {"status": "affected", "version": ">= 3.0.0-beta1, < 3.6.11"}, {"status": "affected", "version": ">= 3.7.0-ea.1, < 3.7.0-ea.2"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "name": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:08:41.636Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32595", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:38:35.378Z", "dateReserved": "2026-03-12T14:54:24.268Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T10:08:41.636Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}], "id": "CVE-2026-32595", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T11:18:02.537", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v2.11.41"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.41)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0-beta1,3.6.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.7.0-ea.1,3.7.0-ea.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "traefik", "source": "cna", "vendor": "traefik"}, "product": "traefik", "vendor": "traefik"}], "analysis": {"en": {"generated_at": "2026-03-20T11:50:31.038157+00:00", "value": {"mitigation_remediation": ["Apply the patched Traefik release 2.11.41 or later, 3.6.11 or later, or 3.7.0\u2011ea.2 or newer \u2013 this is the vendor's official mitigation.", "Disable or restrict access to the BasicAuth middleware on publicly exposed routes as a temporary containment measure if a patch cannot be applied immediately."], "summary": {"action": "Patch", "impact": "Username Enumeration"}, "threat_synthesis": {"affected_systems": "Affected versions include Traefik 2.11.40 and earlier, 3.0.0\u2011beta1 through 3.6.11, and 3.7.0\u2011ea.1. The issue is resolved in 2.11.41, 3.6.11, and 3.7.0\u2011ea.2 or newer releases.", "description_and_impact": "Traefik, an HTTP reverse proxy and load balancer, contains a timing vulnerability in its BasicAuth middleware that permits an unauthenticated attacker to determine whether a username is valid. When a supplied username exists, the middleware performs a bcrypt comparison that takes approximately 166\u202fms; if the username is absent, the response returns almost immediately in about 0.6\u202fms. The resulting ~298\u00d7 difference in response time is observable over the network and allows reliable enumeration of usernames. This weakness is identified as CWE\u2011208 and can facilitate subsequent credential\u2011guessing or brute\u2011force attacks, undermining account confidentiality.", "risk_and_exploitability": "The CVSS score is 6.3, indicating moderate to high impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is network\u2011based: an attacker can interact with the BasicAuth middleware and measure response times to identify valid usernames, making exploitation likely for adversaries with network access to the service endpoints."}}}}, "created": "2026-03-20T14:13:47.086984+00:00", "updated": "2026-03-20T16:27:24.697512+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"]}