{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27480", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T19:46:03.540Z", "datePublished": "2026-02-21T09:14:30.376Z", "dateUpdated": "2026-02-24T18:13:51.921Z"}, "containers": {"cna": {"title": "Static Web Server: Timing-Based Username Enumeration in Basic Authentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2"}, {"name": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1", "tags": ["x_refsource_MISC"], "url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1"}], "affected": [{"vendor": "static-web-server", "product": "static-web-server", "versions": [{"version": ">= 2.1.0, < 2.41.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T09:14:30.376Z"}, "descriptions": [{"lang": "en", "value": "Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0."}], "source": {"advisory": "GHSA-qhp6-635j-x7r2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:13:36.026175Z", "id": "CVE-2026-27480", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:13:51.921Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:static-web-server:static_web_server:*:*:*:*:*:rust:*:*", "matchCriteriaId": "D0CB0D00-4F6E-4CBD-BC05-02533F489AE3", "versionEndExcluding": "2.41.0", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0."}, {"lang": "es", "value": "Servidor Web Est\u00e1tico (SWS) es un servidor web listo para producci\u00f3n, adecuado para archivos web est\u00e1ticos o activos. En las versiones 2.1.0 a la 2.40.1, una vulnerabilidad de enumeraci\u00f3n de nombres de usuario basada en tiempo en la Autenticaci\u00f3n B\u00e1sica permite a los atacantes identificar usuarios v\u00e1lidos explotando respuestas tempranas para nombres de usuario inv\u00e1lidos, lo que permite ataques de fuerza bruta dirigidos o de relleno de credenciales. SWS verifica si un nombre de usuario existe antes de verificar la contrase\u00f1a, haciendo que los nombres de usuario v\u00e1lidos sigan una ruta de c\u00f3digo m\u00e1s lenta (por ejemplo, el hash bcrypt) mientras que los nombres de usuario inv\u00e1lidos reciben una respuesta 401 inmediata. Esta discrepancia de tiempo permite a los atacantes enumerar cuentas v\u00e1lidas midiendo las diferencias en el tiempo de respuesta. Este problema ha sido solucionado en la versi\u00f3n 2.41.0."}], "id": "CVE-2026-27480", "lastModified": "2026-02-24T16:55:37.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-21T10:16:12.210", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.0,2.41.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "static-web-server", "source": "cna", "vendor": "static-web-server"}, "product": "static_web_server", "vendor": "static-web-server"}], "created": "2026-02-23T14:32:14.482452+00:00", "updated": "2026-02-23T14:32:14.482529+00:00", "vendors": ["static-web-server", "static-web-server$PRODUCT$static_web_server"]}