Username Enumeration Vulnerability in Traefik HTTP Reverse Proxy and Load Balancer
CVE-2026-32595

6.3MEDIUM

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
20 March 2026

What is CVE-2026-32595?

Versions of Traefik prior to 2.11.41, specific beta and alpha releases from 3.0.0 to 3.7.0, exhibit a vulnerability within the BasicAuth middleware that allows attackers to conduct username enumeration via a timing attack. By exploiting a significant timing discrepancy—approximately 298 times slower for valid usernames compared to non-existent ones—unauthenticated individuals can discern valid usernames simply by timing how long responses take. This poses a risk for unauthorized access attempts and must be addressed by upgrading to patched versions 2.11.41, 3.6.11, and 3.7.0-ea.2.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

traefik < 2.11.41 < 2.11.41

traefik >= 3.0.0-beta1, < 3.6.11 < 3.0.0-beta1, 3.6.11

traefik >= 3.7.0-ea.1, < 3.7.0-ea.2 < 3.7.0-ea.1, 3.7.0-ea.2

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v2.11.41
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.11
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.