Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Published: 2026-04-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik's ForwardAuth middleware can be configured with trustForwardHeader=false and is deployed behind a trusted upstream proxy. In these circumstances a malicious actor can inject a spoofed X-Forwarded-Prefix header to bypass authentication checks, permitting access to resources without valid credentials. This flaw falls under CWE‑345, which represents implicit trust or access control weaknesses. The practical impact is an unauthorized privilege escalation that can compromise scope‑limited or system‑wide functionality depending on how the application is structured behind the proxy.

Affected Systems

Affected versions include all releases of the Traefik HTTP reverse proxy and load balancer prior to 2.11.43, 3.6.14, and 3.7.0‑rc.2. Any deployment of these product versions that relies on ForwardAuth with trustForwardHeader set to false while sitting behind a trusted upstream proxy is susceptible.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity authentication bypass. EPSS data is not available, making precise exploitation likelihood uncertain, but authentication bypass typically represents a high risk to confidentiality and integrity. The driver for exploitation is HTTP header manipulation, so the attack vector is network‑based via crafted requests. The vulnerability is not currently listed in the CISA KEV catalog, implying no known active, widely‑publicised exploitation at this time.

Generated by OpenCVE AI on May 1, 2026 at 04:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 2.11.43 or later, 3.6.14 or later, or 3.7.0-rc.2 or later, which contain the ForwardAuth fix.
  • If an upgrade is not feasible, disable the ForwardAuth middleware or set trustForwardHeader=true when the proxy is behind a trusted upstream, thereby eliminating the gateway for header spoofing.
  • Configure inbound traffic to reject or strip suspicious X-Forwarded-Prefix headers before they reach Traefik if possible, adding a secondary validation layer.

Generated by OpenCVE AI on May 1, 2026 at 04:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea2:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea3:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Title Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth
Weaknesses CWE-345
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-01T21:20:11.714Z

Reserved: 2026-03-31T21:06:06.429Z

Link: CVE-2026-35051

cve-icon Vulnrichment

Updated: 2026-05-01T21:20:07.596Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T21:16:32.047

Modified: 2026-05-01T17:45:41.300

Link: CVE-2026-35051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:00:12Z

Weaknesses