GHSA-qhp6-635j-x7r2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qhp6-635j-x7r2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-qhp6-635j-x7r2/GHSA-qhp6-635j-x7r2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qhp6-635j-x7r2
- Aliases
- Published
- 2026-02-20T18:25:27Z
- Modified
- 2026-02-23T22:58:12.472017Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
- Details
-
Summary
A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks.
Details
SWS validates the provided username before performing any password verification. - Invalid Username: The server returns a
401 Unauthorizedresponse immediately. - Valid Username: The server proceeds to verify the password (e.g., usingbcrypt), which introduces a different execution path and measurable timing discrepancy.This allows an attacker to distinguish between existing and non-existing accounts by analyzing response times.
PoC
The following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script:
| User Type | Average Response Time | | :--- | :--- | | Invalid User | 0.409861 ms | | Valid User | 0.250925 ms | | Difference | ~0.158936 ms |
While the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time.
Impact
Users using the SWS' Basic Authentication feature are primarily impacted.
- Database specific
{ "nvd_published_at": "2026-02-21T10:16:12Z", "github_reviewed_at": "2026-02-20T18:25:27Z", "github_reviewed": true, "severity": "MODERATE", "cwe_ids": [ "CWE-204" ] }- References
-
- https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2
- https://nvd.nist.gov/vuln/detail/CVE-2026-27480
- https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1
- https://github.com/static-web-server/static-web-server
Affected packages
crates.io / static-web-server
Package
- Name
- static-web-server
- View open source insights on deps.dev
- Purl
- pkg:cargo/static-web-server