Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
AnalysisAI
Traefik's BasicAuth middleware contains a timing attack vulnerability that enables username enumeration through observable response time differences between valid and invalid usernames. An unauthenticated network attacker can distinguish existing usernames from non-existent ones by measuring response latency-valid usernames trigger ~166ms bcrypt operations while invalid usernames return in ~0.6ms, creating a ~298x timing differential. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1; patches are available in versions 2.11.41, 3.6.11, and 3.7.0-ea.2.
Technical ContextAI
This vulnerability exploits timing side-channels in cryptographic implementations, specifically classified under CWE-208 (Observable Timing Discrepancy). Traefik's BasicAuth middleware (cpe:2.3:a:traefik:traefik) implements HTTP Basic Authentication using bcrypt password hashing. The root cause stems from an optimization where the middleware returns immediately upon detecting a non-existent username without performing the expensive bcrypt comparison operation that occurs for valid usernames. This conditional execution pattern leaks information about user database membership through measurable network latency differences. The attack is feasible because bcrypt's intentionally slow design (~166ms) creates a large enough timing gap to be reliably detected over standard network connections, even with inherent latency noise.
RemediationAI
Immediately upgrade Traefik to version 2.11.41 (for 2.x deployments), 3.6.11 (for stable 3.x deployments), or 3.7.0-ea.2 or later (for early access branches). These patched versions implement constant-time username validation by performing bcrypt operations for all usernames—whether they exist or not—eliminating the observable timing differential. For organizations unable to patch immediately, implement network-level mitigations: restrict BasicAuth endpoints to trusted IP ranges via firewall rules or network access controls, deploy rate limiting on authentication endpoints to increase measurement difficulty and detection probability, and consider supplementing BasicAuth with additional authentication factors (mutual TLS, API keys) that are less susceptible to timing attacks. Review Traefik configuration to ensure BasicAuth is not unnecessarily exposed to untrusted networks. Consult the official security advisory at https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr for version-specific deployment guidance.
Traefik is an open source HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is re
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable
Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is
Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.8), this vulnerabil
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inheri
In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik
Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.1), this vulnerability is remotely explo
Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker
Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to ci
Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS re
Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resou
Same weakness CWE-208 – Observable Timing Discrepancy
View allSame technique Information Disclosure
View allVendor StatusVendor
Debian
Bug #983289| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13664
GHSA-g3hg-j4jv-cwfr