Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Published: 2026-04-30
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik’s BasicAuth middleware contains a timing side‑channel that allows an attacker to determine which usernames exist by measuring how quickly the authentication fails. The vulnerability arises because a variable intended to provide a constant‑time fallback secret resolves to an empty string, causing the comparison to short‑circuit instead of performing a full bcrypt hash operation. This flaw falls under CWE‑208. The attack does not provide direct code execution but gives an adversary valuable information that can accelerate credential‑guessing or social‑engineering attempts, thereby compromising confidentiality of user identities. Its impact is limited to the authentication layer and does not affect broader system stability or data integrity directly.

Affected Systems

The issue affects Traefik releases prior to 2.11.43, 3.6.14, and 3.7.0‑rc.2. All earlier versions of the Traefik product are vulnerable; a safe path is to upgrade to one of the listed patched releases or later.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. No EPSS score is available at present, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw over HTTP by sending authentication requests and measuring response times, requiring only network access to the proxied services. The lack of a publicly known exploit does not reduce the seriousness, as the enumeration capability can facilitate subsequent attacks. Prompt patching or mitigation is therefore advised.

Generated by OpenCVE AI on May 1, 2026 at 04:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to at least version 2.11.43 for the 2.x line or 3.6.14/3.7.0‑rc.2 for the 3.x line, which fix the constant‑time comparison logic.
  • If an immediate upgrade is not possible, restrict BasicAuth‑protected routes to trusted IP ranges to reduce the attack surface for timing enumeration.
  • Enable detailed authentication logging and monitor response‑time patterns for anomalous deviations that could indicate an ongoing timing attack.

Generated by OpenCVE AI on May 1, 2026 at 04:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea2:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea3:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Title Traefik: BasicAuth middleware: timing side-channel vulnerability
Weaknesses CWE-208
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-01T14:22:40.566Z

Reserved: 2026-04-18T14:01:46.801Z

Link: CVE-2026-41263

cve-icon Vulnrichment

Updated: 2026-05-01T14:22:36.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T21:16:33.390

Modified: 2026-05-01T17:37:12.580

Link: CVE-2026-41263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:00:12Z

Weaknesses