Description
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.
Published: 2026-02-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Enumeration via Timing Attack
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows an attacker to discover which usernames exist in the system by measuring the time it takes for the server to respond to Basic Authentication attempts. The server performs a username check before verifying the password, causing a delay for valid usernames (e.g., due to bcrypt hashing) while invalid usernames are rejected immediately. This timing difference reveals valid accounts, enabling attackers to conduct focused brute‑force or credential‑stuffing attacks. The impact is primarily the exposure of legitimate usernames, which facilitates subsequent credential‑guessing or social‑engineering attacks, but does not directly disclose passwords or grant elevated privileges.

Affected Systems

Static Web Server version 2.1.0 through 2.40.1 is affected. The issue has been fixed in version 2.41.0. All installations of the affected range should be reviewed and upgraded accordingly.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. The EPSS score is less than 1%, suggesting low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network‑based, requiring an attacker to initiate Basic Authentication over HTTP/HTTPS to observe response times. While the technique is relatively simple, it typically requires automated scripts and precise timing measurements and can be mitigated by ensuring uniform response times for all authentication attempts.

Generated by OpenCVE AI on April 18, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Static Web Server 2.41.0 or later, which removes the CWE‑204 timing‑based enumeration flaw
  • If an upgrade is not feasible, configure the server to use constant‑time authentication responses to address the CWE‑204 weakness
  • If an immediate upgrade is not feasible, disable Basic Authentication or replace it with a more secure authentication scheme that enforces constant‑time responses
  • Limit the impact of potential enumeration attempts by implementing network‑level throttling or rate‑limiting for authentication requests

Generated by OpenCVE AI on April 18, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qhp6-635j-x7r2 Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
History

Thu, 26 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:static-web-server:static_web_server:*:*:*:*:*:rust:*:*

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Static-web-server
Static-web-server static Web Server
Vendors & Products Static-web-server
Static-web-server static Web Server

Sat, 21 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.
Title Static Web Server: Timing-Based Username Enumeration in Basic Authentication
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Static-web-server Static Web Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:13:51.921Z

Reserved: 2026-02-19T19:46:03.540Z

Link: CVE-2026-27480

cve-icon Vulnrichment

Updated: 2026-02-24T18:13:45.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T10:16:12.210

Modified: 2026-02-24T16:55:37.307

Link: CVE-2026-27480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses