{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27480", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T19:46:03.540Z", "datePublished": "2026-02-21T09:14:30.376Z", "dateUpdated": "2026-02-24T18:13:51.921Z"}, "containers": {"cna": {"title": "Static Web Server: Timing-Based Username Enumeration in Basic Authentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2"}, {"name": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1", "tags": ["x_refsource_MISC"], "url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1"}], "affected": [{"vendor": "static-web-server", "product": "static-web-server", "versions": [{"version": ">= 2.1.0, < 2.41.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T09:14:30.376Z"}, "descriptions": [{"lang": "en", "value": "Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0."}], "source": {"advisory": "GHSA-qhp6-635j-x7r2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:13:36.026175Z", "id": "CVE-2026-27480", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:13:51.921Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27480", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T18:13:36.026175Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:13:45.808Z"}}], "cna": {"title": "Static Web Server: Timing-Based Username Enumeration in Basic Authentication", "source": {"advisory": "GHSA-qhp6-635j-x7r2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "static-web-server", "product": "static-web-server", "versions": [{"status": "affected", "version": ">= 2.1.0, < 2.41.0"}]}], "references": [{"url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2", "name": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1", "name": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204: Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T09:14:30.376Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27480", "state": "PUBLISHED", "dateUpdated": "2026-02-24T18:13:51.921Z", "dateReserved": "2026-02-19T19:46:03.540Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-21T09:14:30.376Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:static-web-server:static_web_server:*:*:*:*:*:rust:*:*", "matchCriteriaId": "D0CB0D00-4F6E-4CBD-BC05-02533F489AE3", "versionEndExcluding": "2.41.0", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0."}, {"lang": "es", "value": "Servidor Web Est\u00e1tico (SWS) es un servidor web listo para producci\u00f3n, adecuado para archivos web est\u00e1ticos o activos. En las versiones 2.1.0 a la 2.40.1, una vulnerabilidad de enumeraci\u00f3n de nombres de usuario basada en tiempo en la Autenticaci\u00f3n B\u00e1sica permite a los atacantes identificar usuarios v\u00e1lidos explotando respuestas tempranas para nombres de usuario inv\u00e1lidos, lo que permite ataques de fuerza bruta dirigidos o de relleno de credenciales. SWS verifica si un nombre de usuario existe antes de verificar la contrase\u00f1a, haciendo que los nombres de usuario v\u00e1lidos sigan una ruta de c\u00f3digo m\u00e1s lenta (por ejemplo, el hash bcrypt) mientras que los nombres de usuario inv\u00e1lidos reciben una respuesta 401 inmediata. Esta discrepancia de tiempo permite a los atacantes enumerar cuentas v\u00e1lidas midiendo las diferencias en el tiempo de respuesta. Este problema ha sido solucionado en la versi\u00f3n 2.41.0."}], "id": "CVE-2026-27480", "lastModified": "2026-02-24T16:55:37.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-21T10:16:12.210", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.0,2.41.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "static-web-server", "source": "cna", "vendor": "static-web-server"}, "product": "static_web_server", "vendor": "static-web-server"}], "analysis": {"en": {"generated_at": "2026-04-18T17:50:11.015245+00:00", "value": {"mitigation_remediation": ["Upgrade to Static Web Server 2.41.0 or later, which removes the CWE\u2011204 timing\u2011based enumeration flaw", "If an upgrade is not feasible, configure the server to use constant\u2011time authentication responses to address the CWE\u2011204 weakness", "If an immediate upgrade is not feasible, disable Basic Authentication or replace it with a more secure authentication scheme that enforces constant\u2011time responses", "Limit the impact of potential enumeration attempts by implementing network\u2011level throttling or rate\u2011limiting for authentication requests"], "summary": {"action": "Apply Patch", "impact": "User Enumeration via Timing Attack"}, "threat_synthesis": {"affected_systems": "Static Web Server version 2.1.0 through 2.40.1 is affected. The issue has been fixed in version 2.41.0. All installations of the affected range should be reviewed and upgraded accordingly.", "description_and_impact": "This vulnerability allows an attacker to discover which usernames exist in the system by measuring the time it takes for the server to respond to Basic Authentication attempts. The server performs a username check before verifying the password, causing a delay for valid usernames (e.g., due to bcrypt hashing) while invalid usernames are rejected immediately. This timing difference reveals valid accounts, enabling attackers to conduct focused brute\u2011force or credential\u2011stuffing attacks. The impact is primarily the exposure of legitimate usernames, which facilitates subsequent credential\u2011guessing or social\u2011engineering attacks, but does not directly disclose passwords or grant elevated privileges.", "risk_and_exploitability": "The CVSS base score is 5.3, indicating moderate severity. The EPSS score is less than 1%, suggesting low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network\u2011based, requiring an attacker to initiate Basic Authentication over HTTP/HTTPS to observe response times. While the technique is relatively simple, it typically requires automated scripts and precise timing measurements and can be mitigated by ensuring uniform response times for all authentication attempts."}}}}, "created": "2026-02-23T14:32:14.482452+00:00", "updated": "2026-04-18T18:00:06.454949+00:00", "vendors": ["static-web-server", "static-web-server$PRODUCT$static_web_server"]}