VDB
ANCHORE-2026-32595
ANCHORE-2026-32595
PUBLISHED
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| traefik | traefik | 3.0.0-beta1, 0, 3.7.0-ea.1 |
Timeline
- Mar 20, 2026 CVE Published
- Mar 20, 2026 CVE Updated