CVE-2026-32595 Overview
CVE-2026-32595 is a timing attack vulnerability in Traefik, the popular HTTP reverse proxy and load balancer. The BasicAuth middleware in affected versions allows unauthenticated attackers to enumerate valid usernames by observing response time differences. When a submitted username exists in the system, the middleware performs a bcrypt password comparison that takes approximately 166ms. However, when the username does not exist, the response returns almost immediately in approximately 0.6ms. This roughly 298x timing difference is observable over the network and enables reliable username enumeration.
Critical Impact
Attackers can enumerate valid usernames without authentication, potentially enabling targeted credential stuffing, brute force attacks, or social engineering campaigns against legitimate users.
Affected Products
- Traefik versions 2.11.40 and below
- Traefik versions 3.0.0-beta1 through 3.6.10
- Traefik version 3.7.0-ea.1
Discovery Timeline
- 2026-03-20 - CVE-2026-32595 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-32595
Vulnerability Analysis
This vulnerability stems from CWE-208 (Observable Timing Discrepancy) in Traefik's BasicAuth middleware implementation. The core issue lies in how the authentication flow handles valid versus invalid usernames differently from a timing perspective. When a valid username is submitted, the middleware proceeds to perform a bcrypt password hash comparison, which is computationally expensive by design (approximately 166ms). However, when an invalid username is provided, the code path returns immediately without performing any cryptographic operation, resulting in response times around 0.6ms.
This substantial timing difference (~298x) is easily measurable over network connections and allows attackers to systematically test usernames against the authentication endpoint. By measuring response latencies, an attacker can build a list of valid usernames without any valid credentials. This attack is network-accessible and requires no authentication or user interaction, making it particularly concerning for internet-exposed Traefik instances.
Root Cause
The root cause is the lack of constant-time behavior in the username validation logic. The BasicAuth middleware fails to perform a dummy bcrypt comparison when the username is not found, creating an observable timing side channel. Proper implementation should execute equivalent cryptographic operations regardless of username validity to eliminate timing differences.
Attack Vector
This vulnerability is exploitable over the network by an unauthenticated attacker. The attack methodology involves:
- Sending authentication requests with candidate usernames to the BasicAuth-protected endpoint
- Measuring the response time for each request
- Classifying usernames as valid (slow response ~166ms) or invalid (fast response ~0.6ms)
- Building a list of confirmed valid usernames for subsequent attacks
The attack requires no special privileges or user interaction. While network conditions may introduce some variance, the 298x timing difference provides a strong signal that can be reliably detected through statistical analysis or multiple request averaging.
Detection Methods for CVE-2026-32595
Indicators of Compromise
- High volume of authentication attempts from single IP addresses targeting BasicAuth endpoints
- Sequential or pattern-based username submissions across authentication requests
- Requests with varied usernames but identical or no passwords
- Unusual authentication traffic patterns during off-hours
Detection Strategies
- Monitor Traefik access logs for repeated 401 responses with varying usernames from the same source
- Implement rate limiting and alerting on authentication endpoints that exceed normal thresholds
- Deploy network monitoring to detect automated enumeration patterns characterized by rapid sequential requests
- Correlate failed authentication events across time windows to identify reconnaissance activity
Monitoring Recommendations
- Enable detailed logging for BasicAuth middleware events including timestamps and source IPs
- Configure SIEM rules to alert on authentication enumeration patterns
- Monitor for follow-on attacks such as credential stuffing targeting enumerated usernames
- Track authentication response time metrics to identify potential ongoing timing attacks
How to Mitigate CVE-2026-32595
Immediate Actions Required
- Upgrade Traefik to patched versions: 2.11.41, 3.6.11, or 3.7.0-ea.2
- Review access logs for evidence of prior username enumeration attempts
- Implement additional rate limiting on authentication endpoints as defense in depth
- Consider placing additional authentication mechanisms in front of exposed BasicAuth endpoints
Patch Information
Traefik has released security patches addressing this timing attack vulnerability. The fix ensures constant-time behavior during authentication by performing equivalent cryptographic operations regardless of username validity.
Patched Versions:
- Traefik v2.11.41 - For 2.x series users
- Traefik v3.6.11 - For 3.6.x series users
- Traefik v3.7.0-ea.2 - For early access users
For complete details, see the GitHub Security Advisory GHSA-g3hg-j4jv-cwfr.
Workarounds
- Implement network-level rate limiting to slow down enumeration attempts
- Deploy a web application firewall (WAF) with authentication abuse detection capabilities
- Consider switching to alternative authentication mechanisms such as ForwardAuth with external identity providers
- Restrict BasicAuth endpoint access to trusted IP ranges where feasible
# Example: Rate limiting BasicAuth endpoints using Traefik middleware
# traefik.yml configuration
http:
middlewares:
auth-ratelimit:
rateLimit:
average: 10
burst: 20
period: 1m
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
