CVE-2026-32595: CVE-2026-32595: Information Disclosure via Timing Attack in Traefik BasicAuth

CVE-2026-32595: Information Disclosure via Timing Attack in Traefik BasicAuth

Vulnerability ID: CVE-2026-32595
CVSS Score: 6.3
Published: 2026-03-20

CVE-2026-32595 is an observable timing discrepancy vulnerability in Traefik's BasicAuth middleware affecting versions across the 2.x and 3.x branches. The flaw allows unauthenticated remote attackers to enumerate valid user accounts by measuring the server's response time during authentication attempts.

TL;DR

Traefik's BasicAuth middleware is vulnerable to a timing attack (CWE-208) due to an early exit optimization. Unauthenticated attackers can enumerate valid usernames by measuring response times, as valid users trigger expensive bcrypt operations while invalid users return immediately.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-208
• Attack Vector: Network (AV:N)
• CVSS v4.0: 6.3 (Medium)
• EPSS Score: 0.00036
• Impact: Username Enumeration
• Exploit Status: Proof of Concept (PoC)
• KEV Status: Not Listed

Affected Systems

• Traefik BasicAuth Middleware
• Traefik Kubernetes Ingress Controller (when utilizing BasicAuth annotations)
• Traefik: <= 2.11.40 (Fixed in: 2.11.41)
• Traefik: >= 3.0.0-beta1, <= 3.6.10 (Fixed in: 3.6.11)
• Traefik: 3.7.0-ea.1 (Fixed in: 3.7.0-ea.2)

Exploit Details

• Security Advisory: Public Proof of Concept timing script included in the advisory

Mitigation Strategies

• Upgrade Traefik instances to a patched release that employs constant-time authentication mechanisms.
• Implement robust rate-limiting controls upstream of the BasicAuth middleware to mitigate timing attacks and subsequent denial-of-service risks.
• Monitor authentication logs for high frequencies of HTTP 401 responses originating from single IP addresses.
• Migrate to robust authentication providers utilizing OAuth2, OIDC, or SAML with mandatory Multi-Factor Authentication (MFA).

Remediation Steps:

1. Identify all deployed instances of Traefik acting as ingress controllers or reverse proxies.
2. Determine the current running version of each Traefik instance.
3. Download the corresponding patched version (2.11.41, 3.6.11, or 3.7.0-ea.2).
4. Apply the updated container image or binary to the environment.
5. Configure Traefik's RateLimit middleware on all entry points utilizing BasicAuth.
6. Verify the remediation by running a local timing attack script to ensure response times are indistinguishable.

References

• NVD Vulnerability Detail
• Traefik Security Advisory GHSA-g3hg-j4jv-cwfr

---

Read the full report for CVE-2026-32595 on our website for more details including interactive diagrams and full exploit analysis.