Primary

Context

Traefik BasicAuth Middleware Timing Attack Vulnerability Allowing Username Enumeration

Vulnerability

Patched

A vulnerability exists in Traefik's BasicAuth middleware, allowing for username enumeration through a timing attack. This issue is present in Traefik versions 2.11.40 and earlier, 3.0.0-beta1 to 3.6.10, and 3.7.0-ea.1. The vulnerability arises because when a valid username is submitted, the middleware takes approximately 166 milliseconds to respond due to a bcrypt password comparison. In contrast, responses for non-existent usernames are nearly instantaneous, around 0.6 milliseconds. This significant timing difference, which is observable over the network, enables an unauthenticated attacker to reliably identify valid usernames.

Impact

Exploitation of this vulnerability allows for reliable username enumeration, as an attacker can distinguish between valid and invalid usernames based on the response time.

Remediation

Users can upgrade to Traefik versions 2.11.41, 3.6.11, or 3.7.0-ea.2 to address this vulnerability.

Added: Mar 20, 2026, 11:24 AM

Updated: Mar 20, 2026, 11:24 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

8.3

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

8.3

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Traefik BasicAuth Middleware Timing Attack Vulnerability Allowing Username Enumeration

Vulnerability

Impact

Remediation

Affected Products

Traefik

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating