Traefik CVE-2026-41263

MEDIUM
Observable Timing Discrepancy (CWE-208)
2026-04-24 https://github.com/traefik/traefik GHSA-6x2q-h3cr-8j2h
Oracle Information Disclosure Python
Share

Lifecycle Timeline

1
Analysis Generated
Apr 24, 2026 - 21:00 vuln.today

DescriptionNVD

Summary

There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences.

The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times.

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.43
  • https://github.com/traefik/traefik/releases/tag/v3.6.14
  • https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2

For more information

If there are any questions or comments about this advisory, please open an issue.

<details> <summary>Original Description</summary>

BasicAuth Timing Regression: CVE-2026-32595 Fix Is a No-Op Due to Map Key/Value Confusion

TL;DR

The patch for CVE-2026-32595 is a no-op. Line 49 of basic_auth.go has a map key/value confusion that makes notFoundSecret always "". The "constant time" fallback calls goauth.CheckSecret(password, ""), which fast-fails in ~1us instead of running bcrypt (~60ms).

Evidence (HEAD 786f7192e, 2026-04-09)

Black-box PoC against live traefik binary on port 28080:

| bucket | n | median | min | |------------------------------|-----|----------|----------| | existing user (wrong pw) | 240 | 62.85 ms | 57.54 ms | | nonexistent user (wrong pw) | 400 | 0.48 ms | 0.35 ms |

Median ratio: 130.4x. Classification: 8/8 correct.

Go in-tree test: goauth.CheckSecret direct ratio 12,746x.

Root cause (4-step trace)

  1. basic_auth.go:49: users[slices.Collect(maps.Values(users))[0]] -- looks

up a hash as a username key, returns "".

  1. basic_auth.go:119-120: calls goauth.CheckSecret(password, "").
  2. go-http-auth/basic.go:87: empty string matches no prefix, falls to default

compareMD5HashAndPassword.

  1. basic.go:107-109: bytes.SplitN("", "$", 4) returns length 1, function

returns instantly.

Files

  • poc/exploit.py -- black-box Python timing oracle
  • poc/basic_auth_timing_regression_test.go -- Go in-tree test
  • poc/traefik.yml + poc/dynamic.yml -- traefik config
  • poc/live_http_poc_output_head.txt -- verbatim PoC output on HEAD

Koda Reef

</details>

---

AnalysisAI

Traefik's BasicAuth middleware contains a timing side-channel vulnerability that allows attackers to enumerate valid usernames through response-time analysis. A map key/value confusion in the constant-time comparison fallback causes the notFoundSecret variable to always resolve to an empty string, causing authentication checks against non-existent users to complete in microseconds (~0.48ms) instead of performing full bcrypt evaluation (~62ms), creating a 130x timing oracle. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-40514 HIGH
8.2 Apr 27

SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints t
CVE-2026-41659 LOW
2.7 Apr 29

Admidio members_assignment_data.php endpoint leaks hidden profile field values through a blind search oracle attack. Rol
CVE-2026-42233 MEDIUM
Apr 29

SQL injection in n8n's Oracle Database node allows attackers to inject arbitrary SQL commands through the Limit field wh

Share

CVE-2026-41263 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy