CVE-2026-27480
MEDIUM5.3EPSS 0.03%Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
Description
## Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. ## Details SWS validates the provided username before performing any password verification. - **Invalid Username:** The server returns a `401 Unauthorized` response immediately. - **Valid Username:** The server proceeds to verify the password (e.g., using `bcrypt`), which introduces a different execution path and measurable timing discrepancy. This allows an attacker to distinguish between existing and non-existing accounts by analyzing response times. ## PoC The following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script: | User Type | Average Response Time | | :--- | :--- | | **Invalid User** | 0.409861 ms | | **Valid User** | 0.250925 ms | | **Difference** | **~0.158936 ms** | While the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time. ## Impact Users using the SWS' Basic Authentication feature are primarily impacted.
Affected packages (1)
- crates.io/static-web-server>= 2.1.0, < 2.41.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (4)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-27480
- PATCHhttps://github.com/static-web-server/static-web-server
- WEBhttps://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1
- WEBhttps://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2