Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username enumeration through response timing differences. This issue is fixed in version 3.3.0.
History

Thu, 09 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Gofiber
Gofiber fiber
Vendors & Products Gofiber
Gofiber fiber

Wed, 08 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username enumeration through response timing differences. This issue is fixed in version 3.3.0.
Title Fiber: Username Enumeration via Timing Oracle in BasicAuth Default Authorizer
Weaknesses CWE-203
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-07-08T19:32:15.113Z

Updated: 2026-07-09T14:33:29.004Z

Reserved: 2026-05-05T19:52:59.146Z

Link: CVE-2026-44332

cve-icon Vulnrichment

Updated: 2026-07-09T14:33:26.233Z

cve-icon NVD

No data.

cve-icon Redhat

No data.