Lucene search
K

50 matches found

NVD
NVD
added 2026/07/06 9:16 p.m.7 views

CVE-2026-54763

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which...

10CVSS0.00256EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:30 a.m.6 views

CVE-2026-44936

Missing filtering when the helmRepoURLRegex field isn't set on a GitRepo resource in SUSE Rancher Fleet's bundle reader in 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 forwards Helm authentication credentials BasicAuth to any URL specified in the helm.repo...

5CVSS6AI score0.00386EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/07/02 1:46 p.m.4 views

GHSA-G5VH-55HW-RXM8 GoFiber Vulnerable to Username Enumeration via Timing Oracle in BasicAuth Default Authorizer

Summary The default Authorizer function in GoFiber's BasicAuth middleware uses short-circuit evaluation that skips password hash comparison for non-existent usernames. With bcrypt-hashed passwords the primary use case, the timing difference between a valid and invalid username is approximately...

5.3CVSS5.9AI score0.00516EPSS
Exploits0References2
NVD
NVD
added 2026/06/26 10:16 p.m.10 views

CVE-2026-55069

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computatio...

8.7CVSS0.00158EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/26 8:50 p.m.37 views

CVE-2026-55069 Kestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force Attack

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computatio...

8.7CVSS0.00158EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 8:50 p.m.8 views

CVE-2026-55069

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computatio...

8.7CVSS5.8AI score0.00158EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/06/26 8:50 p.m.16 views

CVE-2026-55069

Kestra OSS (BasicAuth) stores administrator password with SHA-512; if an attacker gains read access to PostgreSQL, offline brute-force can recover the password. In Kubernetes, cracked credentials may enable reading ServiceAccount Tokens and all K8s Secrets, enabling vertical privilege escalation....

8.7CVSS5.8AI score0.00158EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.11 views

PT-2026-52986

Name of the Vulnerable Software and Affected Versions Kestra versions prior to 1.3.24 Description The BasicAuth authentication component of the Kestra OSS workflow orchestration platform stores passwords using SHA-512, which has a high computation speed. An attacker with read access to the...

8.7CVSS5.8AI score0.00158EPSS
Exploits1References8
CVE
CVE
added 2026/06/01 8:2 a.m.121 views

CVE-2026-44825

Summary (CVE-2026-44825) : Apache Solr’s Basic Authentication bootstrap tool (bin/solr auth enable) contains hardcoded credentials, enabling remote attackers to gain full administrative access for Solr clusters running versions 9.4.0–9.10.1 and 10.0.0. The root cause is the inclusion of default c...

9.8CVSS5.8AI score0.00529EPSS
Exploits2References2Affected Software1
Cvelist
Cvelist
added 2026/06/01 8:2 a.m.48 views

CVE-2026-44825 Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users

Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifi...

8.1CVSS0.00529EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/05/08 12:0 p.m.13 views

CVE-2026-40912

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This authentication bypass vulnerability allows an unauthenticated attacker to access protected content. The flaw occurs when the StripPrefixRegex middleware is used with authentication mechanisms such as ForwardAuth, BasicAuth...

8.6CVSS5.7AI score0.00767EPSS
Exploits1References7
SUSE CVE
SUSE CVE
added 2026/05/05 1:45 a.m.9 views

SUSE CVE-2026-41263

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to ho...

3.7CVSS5.7AI score0.00369EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/30 8:39 p.m.6 views

CVE-2026-41263 Traefik: BasicAuth middleware: timing side-channel vulnerability

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to ho...

6.3CVSS5.7AI score0.00369EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/30 8:39 p.m.36 views

CVE-2026-41263 Traefik: BasicAuth middleware: timing side-channel vulnerability

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to ho...

6.3CVSS0.00369EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/30 8:38 p.m.5 views

EUVD-2026-26428

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches...

7.8CVSS5.3AI score0.00767EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/04/30 8:38 p.m.4 views

CVE-2026-40912

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches...

7.8CVSS5.3AI score0.00767EPSS
Exploits1References5Affected Software1
CNNVD
CNNVD
added 2026/04/30 12:0 a.m.10 views

Traefik 安全漏洞

Traefik is an open-source reverse proxy and load balancing tool developed by Traefik. There were security vulnerabilities in versions prior to Traefik 2.11.43, 3.6.14, and 3.7.0-rc.2. These vulnerabilities stemmed from the StripPrefixRegex middleware, which, when used in conjunction with...

8.2CVSS5.7AI score0.00767EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/24 8:36 p.m.15 views

Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware

Summary There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-tim...

6.3CVSS6.1AI score0.00385EPSS
Exploits0References6Affected Software3
Github Security Blog
Github Security Blog
added 2026/04/24 4:37 p.m.13 views

Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync

Summary There is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the...

8.6CVSS5.6AI score0.00767EPSS
Exploits1References6Affected Software3
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.9 views

PT-2026-36184

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.43 Traefik versions prior to 3.6.14 Traefik versions prior to 3.7.0-rc.2 Description A timing side-channel issue exists in the BasicAuth middleware. A variable meant to provide a constant-time fallback secret...

6.3CVSS5.8AI score0.00369EPSS
Exploits0References18
Rows per page
Query Builder