CVE-2026-32595 in Traefik
Summary
by MITRE • 03/20/2026
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
This vulnerability affects Traefik reverse proxy implementations across multiple version ranges, specifically targeting the BasicAuth middleware functionality that handles user authentication. The flaw represents a classic timing attack vector where an attacker can exploit measurable differences in response times to determine the existence of valid usernames within the system. The vulnerability stems from the inconsistent execution time of bcrypt password comparison operations, which serves as a critical security weakness in the authentication process.
The technical implementation of this vulnerability lies in how the BasicAuth middleware handles authentication requests. When a valid username is submitted, the system proceeds to perform a computationally expensive bcrypt password comparison operation that takes approximately 166 milliseconds to complete. However, when an invalid username is provided, the middleware returns almost immediately after approximately 0.6 milliseconds, creating a stark 298x timing differential that can be reliably measured over network connections. This timing discrepancy occurs because the system first validates the username existence before initiating the password verification process, and the bcrypt comparison only occurs when a valid user is found.
From an operational impact perspective, this vulnerability enables unauthenticated attackers to perform username enumeration attacks against Traefik-protected services, effectively compromising the security of the authentication system. The ability to distinguish between valid and invalid usernames creates a significant information disclosure risk, as attackers can systematically identify legitimate user accounts without requiring knowledge of passwords. This information can then be leveraged for subsequent attacks including password spraying, brute force attempts, or social engineering campaigns targeting identified users.
The vulnerability aligns with CWE-208, which describes timing side channels, and represents a specific implementation weakness in cryptographic operations that fail to maintain constant-time execution patterns. From an ATT&CK framework perspective, this issue maps to T1212 - Exploitation for Credential Access, where attackers can exploit timing differences to extract authentication credentials through indirect means. The vulnerability also relates to T1562.001 - Impair Defenses, as it weakens the authentication system's ability to protect against unauthorized access attempts.
The recommended mitigation involves upgrading to patched versions of Traefik, specifically version 2.11.41 or later, or versions 3.6.11 and 3.7.0-ea.2 and higher. Organizations should implement the upgrade immediately as the vulnerability allows for reliable username enumeration without authentication. Additional defensive measures include implementing rate limiting mechanisms, using more sophisticated authentication methods such as multi-factor authentication, and monitoring for unusual patterns in authentication request timing that could indicate exploitation attempts. The patched versions address the timing discrepancy by ensuring consistent execution times regardless of username validity, thereby eliminating the timing side channel that enabled the enumeration attack.