CVE-2026-41263

CVE-2026-41263

Name

CVE-2026-41263

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v2.11.43
security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.6.14
security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
security-advisories@github.com	https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h

Type

URI

security-advisories@github.com

https://github.com/traefik/traefik/releases/tag/v2.11.43

security-advisories@github.com

https://github.com/traefik/traefik/releases/tag/v3.6.14

security-advisories@github.com

https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2

security-advisories@github.com

https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:traefik:traefik::::::::`	traefik	>= None	< 2.11.43
`cpe:2.3:a:traefik:traefik::::::::`	traefik	>= 3.0.0	< 3.6.14
`cpe:2.3:a:traefik:traefik:3.7.0:ea1::::::`	traefik	== None	== 3.7.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*

traefik

>= None

< 2.11.43

cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*

traefik

>= 3.0.0

< 3.6.14

cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*

traefik

== None

== 3.7.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
traefik	edge-community	3.7.0-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.7.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.9-r2	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.9-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.9-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.8-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.7-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.7-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.6-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.6-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.4-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.2-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.6.2-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.5.0-r2	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.5.0-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.5.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.4.0-r2	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.4.0-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.4.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.3.4-r3	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.3.4-r2	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.3.4-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.3.4-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.3.3-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.3.2-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.3.2-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.1.7-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	3.1.3-r0	None	possibly vulnerable
traefik	edge-community	2.9.10-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	2.9.6-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	edge-community	2.2.8-r0	None	possibly vulnerable
traefik	3.23-community	3.6.2-r6	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	3.23-community	3.6.2-r5	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	3.23-community	3.6.2-r4	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	3.23-community	3.6.2-r3	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	3.23-community	3.6.2-r2	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
traefik	3.23-community	3.6.2-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages