Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Published: 2026-04-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik's ForwardAuth middleware can be configured with trustForwardHeader=false and is deployed behind a trusted upstream proxy. In these circumstances a malicious actor can inject a spoofed X-Forwarded-Prefix header to bypass authentication checks, permitting access to resources without valid credentials. This flaw falls under CWE‑345 and CWE‑501, which represent implicit trust or access control weaknesses. The practical impact is an unauthorized privilege escalation that can compromise scope‑limited or system‑wide functionality depending on how the application is structured behind the proxy.

Affected Systems

Affected versions include all releases of the Traefik HTTP reverse proxy and load balancer prior to 2.11.43, 3.6.14, and 3.7.0‑rc.2. Any deployment of these product versions that relies on ForwardAuth with trustForwardHeader set to false while sitting behind a trusted upstream proxy is susceptible.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity authentication bypass. The EPSS score of 0.00017 indicates an extremely low probability of exploitation, consistent with the <1% threshold. Authentication bypass typically represents a high risk to confidentiality and integrity. The driver for exploitation is HTTP header manipulation, so the attack vector is network‑based via crafted requests. The vulnerability is not listed in the CISA KEV catalog, implying no known active, widely‑publicised exploitation at this time.

Generated by OpenCVE AI on May 9, 2026 at 02:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 2.11.43 or later, 3.6.14 or later, or 3.7.0-rc.2 or later, which contain the ForwardAuth fix.
  • If an upgrade is not feasible, disable the ForwardAuth middleware or set trustForwardHeader=true when the proxy is behind a trusted upstream, thereby eliminating the gateway for header spoofing.
  • Configure inbound traffic to reject or strip suspicious X-Forwarded-Prefix headers before they reach Traefik if possible, adding a secondary validation layer.

Generated by OpenCVE AI on May 9, 2026 at 02:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6384-m2mw-rf54 Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-501
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 01 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea2:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea3:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Title Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth
Weaknesses CWE-345
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-01T21:20:11.714Z

Reserved: 2026-03-31T21:06:06.429Z

Link: CVE-2026-35051

cve-icon Vulnrichment

Updated: 2026-05-01T21:20:07.596Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T21:16:32.047

Modified: 2026-05-01T17:45:41.300

Link: CVE-2026-35051

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-30T20:26:06Z

Links: CVE-2026-35051 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T02:15:06Z

Weaknesses