Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is read entirely into memory without any size limit. There is no maxResponseBodySize configuration to restrict the amount of data read from the authentication server response. If the authentication server returns an unexpectedly large or unbounded response body, Traefik will allocate unlimited memory, potentially causing an out-of-memory (OOM) condition that crashes the process. This results in a denial of service for all routes served by the affected Traefik instance. This issue has been patched in versions 2.11.38 and 3.6.9.
Published: 2026-03-05
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-Of-Memory denial of service
Action: Immediate Patch
AI Analysis

Impact

A flaw in Traefik’s ForwardAuth middleware causes the proxy to read the entire authentication server response body into memory without any size limit. If the authentication server supplies a very large or unbounded body, Traefik will consume unlimited memory, eventually triggering an out-of-memory condition that crashes the process. The crash results in service disruption for all routes handled by the affected Traefik instance. This vulnerability represents an uncontrolled resource consumption weakness, allowing denial of service if an attacker can influence the size of the response from an auth server.

Affected Systems

The vulnerability affects the open-source HTTP reverse proxy and load balancer known as Traefik, specifically versions prior to 2.11.38 and 3.6.9. Users running any deployment of Traefik that employs the ForwardAuth middleware without a configured maximum response body size are at risk. The affected packages are identified by the CNA as traefik:traefik.

Risk and Exploitability

The issue is scored at CVSS 4.4, indicating moderate overall severity. The EPSS probability is less than 1%, reflecting a very low likelihood of active exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to host or control an authentication server served to the Traefik instance and craft an unusually large response body; this makes the attack scenario dependent on the ability to influence the auth server’s output. Once triggered, the resulting OOM causes a process crash and simultaneous denial of service to all routes handled by the vulnerable Traefik process.

Generated by OpenCVE AI on April 17, 2026 at 12:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 2.11.38 or later, or 3.6.9 or later, to apply the official fix.
  • If upgrading is not immediately possible, reconfigure or replace the authentication server to limit or verify the size of the response body, effectively preventing unbounded reads; disabling the ForwardAuth middleware altogether is another interim workaround.
  • Deploy container or host-level resource limits (memory requests and limits) on the Traefik process to contain any potential memory impact, providing a fallback in case of OOM crashes.

Generated by OpenCVE AI on April 17, 2026 at 12:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fw45-f5q2-2p4x Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS
History

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
Vendors & Products Traefik
Traefik traefik

Fri, 06 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is read entirely into memory without any size limit. There is no maxResponseBodySize configuration to restrict the amount of data read from the authentication server response. If the authentication server returns an unexpectedly large or unbounded response body, Traefik will allocate unlimited memory, potentially causing an out-of-memory (OOM) condition that crashes the process. This results in a denial of service for all routes served by the affected Traefik instance. This issue has been patched in versions 2.11.38 and 3.6.9.
Title Traefik: unbounded io.ReadAll on auth server response body causes OOM denial of service(DOS)
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:12:14.907Z

Reserved: 2026-02-17T01:41:24.607Z

Link: CVE-2026-26998

cve-icon Vulnrichment

Updated: 2026-03-06T15:50:59.314Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:05.140

Modified: 2026-03-06T15:27:01.330

Link: CVE-2026-26998

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-05T16:15:05Z

Links: CVE-2026-26998 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses