CVE-2026-41263: Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
(updated )
There is a timing side-channel vulnerability in Traefik’s BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences.
The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times.
References
- github.com/advisories/GHSA-6x2q-h3cr-8j2h
- github.com/traefik/traefik
- github.com/traefik/traefik/releases/tag/v2.11.43
- github.com/traefik/traefik/releases/tag/v3.6.14
- github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
- github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h
- nvd.nist.gov/vuln/detail/CVE-2026-41263
Code Behaviors & Features
Detect and mitigate CVE-2026-41263 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →