GHSA-6x2q-h3cr-8j2h

Suggest an improvement
Source
https://github.com/advisories/GHSA-6x2q-h3cr-8j2h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6x2q-h3cr-8j2h/GHSA-6x2q-h3cr-8j2h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6x2q-h3cr-8j2h
Aliases
  • CVE-2026-41263
Downstream
Published
2026-04-24T20:36:41Z
Modified
2026-05-06T21:37:20.786589Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
Details

Summary

There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences.

The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times.

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.43
  • https://github.com/traefik/traefik/releases/tag/v3.6.14
  • https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2

For more information

If there are any questions or comments about this advisory, please open an issue.

<details> <summary>Original Description</summary>

BasicAuth Timing Regression: CVE-2026-32595 Fix Is a No-Op Due to Map Key/Value Confusion

TL;DR

The patch for CVE-2026-32595 is a no-op. Line 49 of basic_auth.go has a map key/value confusion that makes notFoundSecret always "". The "constant time" fallback calls goauth.CheckSecret(password, ""), which fast-fails in ~1us instead of running bcrypt (~60ms).

Evidence (HEAD 786f7192e, 2026-04-09)

Black-box PoC against live traefik binary on port 28080:

| bucket | n | median | min | |------------------------------|-----|----------|----------| | existing user (wrong pw) | 240 | 62.85 ms | 57.54 ms | | nonexistent user (wrong pw) | 400 | 0.48 ms | 0.35 ms |

Median ratio: 130.4x. Classification: 8/8 correct.

Go in-tree test: goauth.CheckSecret direct ratio 12,746x.

Root cause (4-step trace)

  1. basic_auth.go:49: users[slices.Collect(maps.Values(users))[0]] -- looks up a hash as a username key, returns "".
  2. basic_auth.go:119-120: calls goauth.CheckSecret(password, "").
  3. go-http-auth/basic.go:87: empty string matches no prefix, falls to default compareMD5HashAndPassword.
  4. basic.go:107-109: bytes.SplitN("", "$", 4) returns length 1, function returns instantly.

Files

  • poc/exploit.py -- black-box Python timing oracle
  • poc/basic_auth_timing_regression_test.go -- Go in-tree test
  • poc/traefik.yml + poc/dynamic.yml -- traefik config
  • poc/live_http_poc_output_head.txt -- verbatim PoC output on HEAD

Koda Reef

</details>

Database specific 
{
    "github_reviewed_at": "2026-04-24T20:36:41Z",
    "nvd_published_at": "2026-04-30T21:16:33Z",
    "cwe_ids": [
        "CWE-208"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Go
github.com/traefik/traefik/v3

Package

Name
github.com/traefik/traefik/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/traefik/traefik/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.7.0-ea.1
Fixed
3.7.0-rc.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6x2q-h3cr-8j2h/GHSA-6x2q-h3cr-8j2h.json"
github.com/traefik/traefik/v3

Package

Name
github.com/traefik/traefik/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/traefik/traefik/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0-beta1
Fixed
3.6.14

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6x2q-h3cr-8j2h/GHSA-6x2q-h3cr-8j2h.json"
github.com/traefik/traefik/v2

Package

Name
github.com/traefik/traefik/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/traefik/traefik/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.43

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6x2q-h3cr-8j2h/GHSA-6x2q-h3cr-8j2h.json"
github.com/traefik/traefik

Package

Name
github.com/traefik/traefik
View open source insights on deps.dev
Purl
pkg:golang/github.com/traefik/traefik

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.7.34

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6x2q-h3cr-8j2h/GHSA-6x2q-h3cr-8j2h.json"