Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
GHSA-6x2q-h3cr-8j2h · CVE-2026-41263
Published · Modified
Description
Summary
There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences.
The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.43
- https://github.com/traefik/traefik/releases/tag/v3.6.14
- https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
For more information
If there are any questions or comments about this advisory, please open an issue.
Original Description
BasicAuth Timing Regression: CVE-2026-32595 Fix Is a No-Op Due to Map Key/Value Confusion
TL;DR
The patch for CVE-2026-32595 is a no-op. Line 49 of basic_auth.go has a
map key/value confusion that makes notFoundSecret always "". The
"constant time" fallback calls goauth.CheckSecret(password, ""), which
fast-fails in ~1us instead of running bcrypt (~60ms).
Evidence (HEAD 786f7192e, 2026-04-09)
Black-box PoC against live traefik binary on port 28080:
| bucket | n | median | min |
|---|---|---|---|
| existing user (wrong pw) | 240 | 62.85 ms | 57.54 ms |
| nonexistent user (wrong pw) | 400 | 0.48 ms | 0.35 ms |
Median ratio: 130.4x. Classification: 8/8 correct.
Go in-tree test: goauth.CheckSecret direct ratio 12,746x.
Root cause (4-step trace)
basic_auth.go:49:users[slices.Collect(maps.Values(users))[0]]-- looks
up a hash as a username key, returns"".basic_auth.go:119-120: callsgoauth.CheckSecret(password, "").go-http-auth/basic.go:87: empty string matches no prefix, falls to defaultcompareMD5HashAndPassword.basic.go:107-109:bytes.SplitN("", "$", 4)returns length 1, function
returns instantly.
Files
poc/exploit.py-- black-box Python timing oraclepoc/basic_auth_timing_regression_test.go-- Go in-tree testpoc/traefik.yml+poc/dynamic.yml-- traefik configpoc/live_http_poc_output_head.txt-- verbatim PoC output on HEAD
Koda Reef
References
- WEB https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41263
- PACKAGE https://github.com/traefik/traefik
- WEB https://github.com/traefik/traefik/releases/tag/v2.11.43
- WEB https://github.com/traefik/traefik/releases/tag/v3.6.14
- WEB https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
Ready to move
Start Securing
Free, no credit card | First findings in minutes