CVE-2026-27480 (GCVE-0-2026-27480)

Vulnerability from cvelistv5 – Published: 2026-02-21 09:14 – Updated: 2026-02-24 18:13
VLAI?
Title
Static Web Server: Timing-Based Username Enumeration in Basic Authentication
Summary
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-204 - Observable Response Discrepancy
Assigner
References
Impacted products
Vendor Product Version
static-web-server static-web-server Affected: >= 2.1.0, < 2.41.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27480",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-24T18:13:36.026175Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-24T18:13:51.921Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "static-web-server",
          "vendor": "static-web-server",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.1.0, \u003c 2.41.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204: Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-21T09:14:30.376Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2"
        },
        {
          "name": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1"
        }
      ],
      "source": {
        "advisory": "GHSA-qhp6-635j-x7r2",
        "discovery": "UNKNOWN"
      },
      "title": "Static Web Server: Timing-Based Username Enumeration in Basic Authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27480",
    "datePublished": "2026-02-21T09:14:30.376Z",
    "dateReserved": "2026-02-19T19:46:03.540Z",
    "dateUpdated": "2026-02-24T18:13:51.921Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27480\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-21T10:16:12.210\",\"lastModified\":\"2026-02-24T16:55:37.307\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.\"},{\"lang\":\"es\",\"value\":\"Servidor Web Est\u00e1tico (SWS) es un servidor web listo para producci\u00f3n, adecuado para archivos web est\u00e1ticos o activos. En las versiones 2.1.0 a la 2.40.1, una vulnerabilidad de enumeraci\u00f3n de nombres de usuario basada en tiempo en la Autenticaci\u00f3n B\u00e1sica permite a los atacantes identificar usuarios v\u00e1lidos explotando respuestas tempranas para nombres de usuario inv\u00e1lidos, lo que permite ataques de fuerza bruta dirigidos o de relleno de credenciales. SWS verifica si un nombre de usuario existe antes de verificar la contrase\u00f1a, haciendo que los nombres de usuario v\u00e1lidos sigan una ruta de c\u00f3digo m\u00e1s lenta (por ejemplo, el hash bcrypt) mientras que los nombres de usuario inv\u00e1lidos reciben una respuesta 401 inmediata. Esta discrepancia de tiempo permite a los atacantes enumerar cuentas v\u00e1lidas midiendo las diferencias en el tiempo de respuesta. Este problema ha sido solucionado en la versi\u00f3n 2.41.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-204\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:static-web-server:static_web_server:*:*:*:*:*:rust:*:*\",\"versionStartIncluding\":\"2.1.0\",\"versionEndExcluding\":\"2.41.0\",\"matchCriteriaId\":\"D0CB0D00-4F6E-4CBD-BC05-02533F489AE3\"}]}]}],\"references\":[{\"url\":\"https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27480\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-24T18:13:36.026175Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-24T18:13:45.808Z\"}}], \"cna\": {\"title\": \"Static Web Server: Timing-Based Username Enumeration in Basic Authentication\", \"source\": {\"advisory\": \"GHSA-qhp6-635j-x7r2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"static-web-server\", \"product\": \"static-web-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.1.0, \u003c 2.41.0\"}]}], \"references\": [{\"url\": \"https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2\", \"name\": \"https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1\", \"name\": \"https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-204\", \"description\": \"CWE-204: Observable Response Discrepancy\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-21T09:14:30.376Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27480\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-24T18:13:51.921Z\", \"dateReserved\": \"2026-02-19T19:46:03.540Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-21T09:14:30.376Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.