FIND-20260410-012 · 2026-04-10 · Innovation Veille

CVE-2026-32595 — Traefik BasicAuth Timing Attack Allows Username Enumeration (CVSS 6.3, Medium)

cve MEDIUM
Traefik's BasicAuth middleware creates a timing side-channel that allows unauthenticated attackers to enumerate valid usernames. When a username exists, bcrypt password verification takes ~166ms; when it doesn't, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network. CVSS 4.0 score 6.3 (Medium). Patched in Traefik 2.11.41, 3.6.11, and 3.7.0-ea.2. ODS Traefik 3.6.13 is patched.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-32595

ODS Impact

API Gateway (Traefik 3.6.13) — ODS uses BasicAuth middleware in some service configurations. If admin or internal endpoints use BasicAuth, username enumeration is possible on unpatched versions. ODS 3.6.13 is patched — no immediate action required but review if BasicAuth is used on exposed endpoints.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

traefik cve basicauth timing-attack security
Generated by ODS Innovation Veille · 2026-04-10T05:45:12+00:00