CVE-2026-41263

low

Published 2026-04-30 · Modified 2026-05-06

CVSS v3

3.7

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2

—

VIR risk

3.7

Description

Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware

Exploit likelihood

47%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/traefik/traefik/releases/tag/v3.6.14

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/traefik/traefik/releases/tag/v2.11.43

Ecosystem	Package	Vulnerable	Fixed
Go	github.com/traefik/traefik/v3	`>=3.7.0-ea.1,<3.7.0-rc.2`	`3.7.0-rc.2`
Go	github.com/traefik/traefik/v3	`>=3.0.0-beta1,<3.6.14`	`3.6.14`
Go	github.com/traefik/traefik/v2	`<2.11.43`	`2.11.43`
Go	github.com/traefik/traefik	`<=1.7.34`
GO	github.com/traefik/traefik	`<= 1.7.34`
GO	github.com/traefik/traefik/v2	`< 2.11.43`	`2.11.43`
GO	github.com/traefik/traefik/v3	`>= 3.0.0-beta1, < 3.6.14`	`3.6.14`
GO	github.com/traefik/traefik/v3	`>= 3.7.0-ea.1, < 3.7.0-rc.2`	`3.7.0-rc.2`

Vendor	Product	Versions	Fixed
traefik	traefik	`{"endExcluding":"2.11.43"}`	`2.11.43`
traefik	traefik	`3.7.0`

CWE-208

Verify integrity in audit chain (admin only). AS-IS.