CVE-2026-33433 - Vulnerability Details

- Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.

Published: 2026-03-27

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Traefik allows an authenticated attacker to configure a non-canonical HTTP header name in the headerField setting (for example, "x-auth-user" instead of "X-Auth-User"). When this is done, the attacker can inject the canonical form of that header. The backend server receives two header entries; the attacker‑supplied canonical header is processed first and overrides the non‑canonical value, effectively allowing the attacker to impersonate any identity to the backend. This results in a denial of access control and could enable data exfiltration or unauthorized actions under the victim’s identity.

Affected Systems

Traefik reverse‑proxy and load‑balancer versions prior to 2.11.42, 3.6.11, and 3.7.0‑ea.3 are affected. The vulnerability is present in all editions of the Traefik product managed through the vendor "traefik:traefik".

Risk and Exploitability

The CVSS score for this vulnerability is 5.1, indicating moderate severity, while the EPSS score is below 1 % and it is not listed in the CISA KEV catalog. The likely attack vector is a remote authenticated user who can modify Traefik’s headerField configuration. By injecting the canonical header, the attacker can successfully bypass authentication controls on the backend, effectively gaining impersonation privileges. Given the moderate CVSS but low exploitation probability, the risk is significant for exposed services that rely on Traefik for identity propagation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

traefik

affected

Version	Status	Constraints
`< 2.11.42`	affected	—
`>= 3.0.0-beta1, < 3.6.11`	affected	—
`>= 3.7.0-ea.1, < 3.7.0-ea.3`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:traefik:traefik::::::::
	cpe:2.3:a:traefik:traefik::::::::
	cpe:2.3:a:traefik:traefik:3.7.0:ea1::::::
	cpe:2.3:a:traefik:traefik:3.7.0:ea2::::::

No data.

Vendor Product Confidence Versions

Traefik

100%

Version	Status	Scheme	Platform
`[0,2.11.42)`	affected	semver	—
`[3.0.0-beta1,3.6.11)`	affected	semver	—
`[3.7.0-ea.1,3.7.0-ea.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Traefik to version 2.11.42 or later, 3.6.11 or later, or 3.7.0‑ea.3 or later.

Generated by OpenCVE AI on April 3, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-qr99-7898-vr7c	Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField

Attack Vector Network

Attack Complexity High

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/traefik/traefik/releases/tag/v2.11.42
https://github.com/traefik/traefik/releases/tag/v3.6.11
https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3
https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c
https://nvd.nist.gov/vuln/detail/CVE-2026-33433
https://www.cve.org/CVERecord?id=CVE-2026-33433

History

Fri, 03 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:traefik:traefik:::::::: cpe:2.3:a:traefik:traefik:3.7.0:ea1:::::: cpe:2.3:a:traefik:traefik:3.7.0:ea2::::::
Metrics	cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N'}`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 30 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Traefik Traefik traefik
Vendors & Products		Traefik Traefik traefik

Sat, 28 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-33433 https://www.cve.org/CVERecord?id=CVE-2026-33433
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N'}` threat_severity `Important`

Fri, 27 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.
Title		Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
Weaknesses		CWE-290
References		https://github.com/traefik/traefik/releases/tag/v2.11.42 https://github.com/traefik/traefik/releases/tag/v3.6.11 https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3 https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}`

Subscriptions

Traefik Traefik

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T13:49:08.455Z

Updated: 2026-03-30T12:00:41.940Z

Reserved: 2026-03-19T18:45:22.436Z

Link: CVE-2026-33433

Vulnrichment

Updated: 2026-03-30T12:00:37.578Z

NVD

Status : Analyzed

Published: 2026-03-27T15:16:54.980

Modified: 2026-04-03T17:09:06.200

Link: CVE-2026-33433

Redhat

Severity : Important

Publid Date: 2026-03-27T13:49:08Z

Links: CVE-2026-33433 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:18:00Z

Weaknesses

CWE-290

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object