CVE-2026-44332

Source
https://cve.org/CVERecord?id=CVE-2026-44332
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44332.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44332
Aliases
Published
2026-07-08T19:32:15.113Z
Modified
2026-07-12T03:54:55.895777680Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Fiber: Username Enumeration via Timing Oracle in BasicAuth Default Authorizer
Details

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username enumeration through response timing differences. This issue is fixed in version 3.3.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-203"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44332.json"
}
References

Affected packages

Git / github.com/gofiber/fiber

Affected ranges

Type
GIT
Repo
https://github.com/gofiber/fiber
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v1.*
v1.0.0
v1.10.0
v1.10.5
v1.11.0
v1.11.1
v1.12.0
v1.12.1
v1.12.2
v1.12.3
v1.12.4
v1.12.5
v1.12.6
v1.13.0
v1.13.1
v1.13.2
v1.13.3
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.41
v1.8.42
v1.8.43
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.6
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.10.0
v2.11.0
v2.12.0
v2.13.0
v2.14.0
v2.15.0
v2.16.0
v2.17.0
v2.18.0
v2.19.0
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.20.0
v2.20.1
v2.20.2
v2.21.0
v2.22.0
v2.23.0
v2.24.0
v2.25.0
v2.26.0
v2.27.0
v2.28.0
v2.29.0
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.30.0
v2.31.0
v2.32.0
v2.33.0
v2.34.0
v2.34.0-rc.1
v2.4.0
v2.4.1
v2.5.0
v2.6.0
v2.7.0
v2.7.1
v2.8.0
v2.9.0
v3.*
v3.0.0-beta.3
v3.0.0-beta.4
v3.0.0-beta.5
v3.0.0-rc.1
v3.0.0-rc.2
v3.1.0
v3.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44332.json"