Description
Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9.
Published: 2026-03-05
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Removal of critical X-Forwarded headers by a remote client
Action: Immediate Patch
AI Analysis

Impact

Traefik is a popular HTTP reverse proxy that inserts client‑identity headers such as X-Real-Ip, X-Forwarded-Host, and X-Forwarded-Port for use by backend services. This vulnerability arises from a case‑sensitivity bug in the handling of the Connection header: the comparison that protects against removal of these headers is case‑sensitive, yet the actual deletion operation treats the header case‑insensitively. As a result, an unauthenticated HTTP/1.1 client can send a Connection header with a lowercase token (for example, Connection: x-real-ip) and cause Traefik to strip the corresponding forwarded identity header. The loss of these headers can undermine authentication, rate‑limiting, logging, and profiling mechanisms on downstream services, potentially enabling spoofing of client identity or denial of service conditions that rely on accurate header data.

Affected Systems

The flaw affects Traefik version 2.11.9 through 2.11.37 and 3.1.3 through 3.6.8. Clients that use HTTP/1.1 to communicate with any of these releases may trigger the header deletion logic.

Risk and Exploitability

The CVSS v3.1 score is 7.5, indicating a high severity. The EPSS score is below 1%, implying exploitation is not widely observed. The vulnerability is not currently listed in the CISA KEV catalog. A remote attacker can exploit the flaw via a simple HTTP request; no authentication or privileged access is required, and the attack vector is network‑based, sending a crafted Connection header.

Generated by OpenCVE AI on April 16, 2026 at 12:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Traefik 2.11.38 or newer, or to 3.6.9 or newer, which contain the fix for the case‑sensitivity bug.
  • If an immediate upgrade is not possible, block or strip lowercase Connection header tokens (e.g., x-real-ip) with a front‑end firewall or reverse proxy before they reach Traefik.
  • Enable logging of header manipulations and regularly review logs for anomalous attempts to delete X‑Forwarded headers.

Generated by OpenCVE AI on April 16, 2026 at 12:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-92mv-8f8w-wq52 traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
History

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
Vendors & Products Traefik
Traefik traefik

Fri, 06 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9.
Title Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
Weaknesses CWE-178
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:11:57.698Z

Reserved: 2026-03-03T17:50:11.244Z

Link: CVE-2026-29054

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:34.965Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:15.277

Modified: 2026-03-06T15:26:20.060

Link: CVE-2026-29054

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-05T16:18:49Z

Links: CVE-2026-29054 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses