LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-33129

CVE-2026-33129 - Vulnerability Analysis

MediumCVSS: 5.9

Last Updated: March 20, 2026

H3 - Authentication Bypass

Published: March 20, 2026Updated: March 20, 2026PoC AvailableRemote Exploitable

Overview

H3 2.0.1-beta.0 through 2.0.0-rc.8 contains a timing side-channel vulnerability caused by unsafe string comparison in requireBasicAuth function, letting attackers deduce valid passwords by measuring response time, exploit requires network access.

Severity & Score

Severity: Medium
CVSS Score: 5.9

Impact

Attackers can bypass password complexity protections by deducing valid passwords via timing analysis.

Mitigation

Upgrade to version 2.0.1-rc.9 or later.

References

Related Resources

Details

CVE ID
CVE-2026-33129
Severity
Medium
CVSS Score
5.9
Type
broken_authentication
Status
confirmed

CWE

  • CWE-208

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N