Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Static Web Server Basic Authentication Reveals Valid Usernames
CVE-2026-27480
GHSA-qhp6-635j-x7r2
Summary
A security issue in Static Web Server's Basic Authentication could allow attackers to figure out valid usernames by measuring how long it takes the server to respond, making it easier for them to try valid usernames first in brute-force attacks. This affects users who rely on Basic Authentication to log in, and we recommend updating to a more secure authentication method if possible.
What to do
- Update static-web-server to version 2.41.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | static-web-server | > 2.1.0 , <= 2.41.0 | 2.41.0 |
| static-web-server | static_web_server | > 2.1.0 , <= 2.41.0 | – |
Original title
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
Original description
## Summary
A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks.
## Details
SWS validates the provided username before performing any password verification.
- **Invalid Username:** The server returns a `401 Unauthorized` response immediately.
- **Valid Username:** The server proceeds to verify the password (e.g., using `bcrypt`), which introduces a different execution path and measurable timing discrepancy.
This allows an attacker to distinguish between existing and non-existing accounts by analyzing response times.
## PoC
The following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script:
| User Type | Average Response Time |
| :--- | :--- |
| **Invalid User** | 0.409861 ms |
| **Valid User** | 0.250925 ms |
| **Difference** | **~0.158936 ms** |
While the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time.
## Impact
Users using the SWS' Basic Authentication feature are primarily impacted.
A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks.
## Details
SWS validates the provided username before performing any password verification.
- **Invalid Username:** The server returns a `401 Unauthorized` response immediately.
- **Valid Username:** The server proceeds to verify the password (e.g., using `bcrypt`), which introduces a different execution path and measurable timing discrepancy.
This allows an attacker to distinguish between existing and non-existing accounts by analyzing response times.
## PoC
The following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script:
| User Type | Average Response Time |
| :--- | :--- |
| **Invalid User** | 0.409861 ms |
| **Valid User** | 0.250925 ms |
| **Difference** | **~0.158936 ms** |
While the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time.
## Impact
Users using the SWS' Basic Authentication feature are primarily impacted.
nvd CVSS3.1
5.3
Vulnerability type
CWE-204
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026