Skip to main content

Traefik EUVDEUVD-2026-13664

| CVE-2026-32595 LOW
Observable Timing Discrepancy (CWE-208)
2026-03-20 GitHub_M GHSA-g3hg-j4jv-cwfr
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 11:00 euvd
EUVD-2026-13664
Analysis Generated
Mar 20, 2026 - 11:00 vuln.today
CVE Published
Mar 20, 2026 - 10:08 nvd
LOW 3.7

DescriptionGitHub Advisory

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

AnalysisAI

Traefik's BasicAuth middleware contains a timing attack vulnerability that enables username enumeration through observable response time differences between valid and invalid usernames. An unauthenticated network attacker can distinguish existing usernames from non-existent ones by measuring response latency-valid usernames trigger ~166ms bcrypt operations while invalid usernames return in ~0.6ms, creating a ~298x timing differential. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1; patches are available in versions 2.11.41, 3.6.11, and 3.7.0-ea.2.

Technical ContextAI

This vulnerability exploits timing side-channels in cryptographic implementations, specifically classified under CWE-208 (Observable Timing Discrepancy). Traefik's BasicAuth middleware (cpe:2.3:a:traefik:traefik) implements HTTP Basic Authentication using bcrypt password hashing. The root cause stems from an optimization where the middleware returns immediately upon detecting a non-existent username without performing the expensive bcrypt comparison operation that occurs for valid usernames. This conditional execution pattern leaks information about user database membership through measurable network latency differences. The attack is feasible because bcrypt's intentionally slow design (~166ms) creates a large enough timing gap to be reliably detected over standard network connections, even with inherent latency noise.

RemediationAI

Immediately upgrade Traefik to version 2.11.41 (for 2.x deployments), 3.6.11 (for stable 3.x deployments), or 3.7.0-ea.2 or later (for early access branches). These patched versions implement constant-time username validation by performing bcrypt operations for all usernames—whether they exist or not—eliminating the observable timing differential. For organizations unable to patch immediately, implement network-level mitigations: restrict BasicAuth endpoints to trusted IP ranges via firewall rules or network access controls, deploy rate limiting on authentication endpoints to increase measurement difficulty and detection probability, and consider supplementing BasicAuth with additional authentication factors (mutual TLS, API keys) that are less susceptible to timing attacks. Review Traefik configuration to ensure BasicAuth is not unnecessarily exposed to untrusted networks. Consult the official security advisory at https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr for version-specific deployment guidance.

CVE-2023-47633 HIGH POC
7.5 Dec 04

Traefik is an open source HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is re

CVE-2019-12452 HIGH POC
7.5 May 29

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable

CVE-2023-47106 MEDIUM POC
6.5 Dec 04

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2022-23469 MEDIUM POC
6.5 Dec 08

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2025-32431 HIGH
8.8 Apr 21

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2023-54365 HIGH
8.7 Jun 23

Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inheri

CVE-2020-15129 MEDIUM POC
4.7 Jul 30

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik

CVE-2021-32813 HIGH
8.1 Aug 03

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.1), this vulnerability is remotely explo

CVE-2026-54763 HIGH
7.8 Jul 06

Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker

CVE-2026-32305 HIGH
7.8 Mar 20

Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to ci

CVE-2026-26999 HIGH
7.5 Mar 05

Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS re

CVE-2026-25949 HIGH
7.5 Feb 12

Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resou

Vendor StatusVendor

Debian

Bug #983289
traefik
Release Status Fixed Version Urgency
open - -

Share

EUVD-2026-13664 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy