CVE-2026-32595

A flaw was found in Traefik. An unauthenticated attacker can exploit a timing attack vulnerability in the BasicAuth middleware. By observing the time it takes for the middleware to respond, an attacker can determine if a submitted username is valid or not. This information disclosure allows for...

SUSE CVE-2026-32595

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taki...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the caldav authentication process. An attacker can gain unauthorized access to sensitive project information by bypassing two-factor authentication using Basic Authentication...

Vikunja has a 2FA Bypass via Caldav Basic Auth

Summary The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc. Details...

EUVD-2026-13664

Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration...

Timing Attack

Overview github.com/traefik/traefik/v2/pkg/middlewares/auth is a Cloud Native Application Proxy. Affected versions of this package are vulnerable to Timing Attack via the BasicAuth middleware. An attacker can enumerate valid usernames by measuring the response time differences when submitting...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack via the BasicAuth middleware. An attacker can enumerate valid usernames by measuring the response time differences when submitting authentication requests. Remediation Upgrade...

CVE-2026-32595

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taki...

CVE-2026-33129

H3 is a minimal HTTP framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server...

CVE-2026-33129 h3 has an observable timing discrepancy in basic auth utils

H3 is a minimal HTTP framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server...

CVE-2026-33129 h3 has an observable timing discrepancy in basic auth utils

H3 is a minimal HTTP framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server...

Traefik 安全漏洞

Traefik is an open-source reverse proxy and load balancing tool developed by Traefik. Versions of Traefik such as 2.11.40, 3.0.0-beta1 to 3.6.11, and 3.7.0-ea.1 contain security vulnerabilities. These vulnerabilities stem from a timing discrepancy in the BasicAuth middleware, which may lead to...

PT-2026-26752

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.1.0 Description The Caldav endpoint allows login using Basic Authentication, which bypasses the TOTP for accounts with 2FA enabled. This allows access to project information normally protected by 2FA, such as projec...

Vikunja has a 2FA Bypass via Caldav Basic Auth

The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc...

CVE-2026-32633

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the /api/4/serverslist endpoint returns raw server objects from GlancesServersList.getserverslist. Those objects are mutated in-place during background polling and can contain a uri...

CVE-2026-32633

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the /api/4/serverslist endpoint returns raw server objects from GlancesServersList.getserverslist. Those objects are mutated in-place during background polling and can contain a uri...

GHSA-26F5-8H2X-34XH h3 has an observable timing discrepancy in basic auth utils

Summary A Timing Side-Channel vulnerability exists in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity...

h3 has an observable timing discrepancy in basic auth utils

Summary A Timing Side-Channel vulnerability exists in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity...

CVE-2026-31882

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication DAGUAUTHMODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG...

CVE-2026-31882

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication DAGUAUTHMODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG...