Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Published: 2026-04-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Traefik’s handling of forwarded headers used by ForwardAuth and snippet-based authentication middleware. The sanitization logic removes only canonical header names such as X-Forwarded-Proto, but it fails to strip or normalize alias forms that replace dashes with underscores. As a result, an attacker can send headers like X_Forwarded_Proto to inject a forged trust context, which the authentication backend normalizes equivalently. This allows bypassing authentication on protected routes without valid credentials.

Affected Systems

Affected systems are Traefik installations provided by the traefik:traefik vendor. Any deployment running Traefik 2.x before v2.11.43 and any 3.x before v3.6.14 or v3.7.0-rc.2 is vulnerable. The fix is included in the releases 2.11.43, 3.6.14, and 3.7.0-rc.2.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity assessment. Because the exploit only requires crafting an HTTP request with underscore‑based header aliases, no special privileges or internal access are needed, making it relatively easy to execute. The EPSS score is 0.00061, indicating a very low probability of exploitation, but it is non‑zero, so the vulnerability can still be exploited. The vulnerability is not yet listed in CISA KEV. An attacker can trigger the bypass by sending a request to the Traefik front‑end, so organizations using the affected versions should apply the patch promptly.

Generated by OpenCVE AI on May 9, 2026 at 02:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 2.11.43, 3.6.14, or 3.7.0-rc.2 or later, which contain the fix for header alias sanitization.
  • If an upgrade is not immediately possible, disable the ForwardAuth or snippet-based authentication middleware for protected routes, or enforce stricter header validation at the backend to reject underscore‑based aliases.
  • Configure network firewalls or API gateways to block or strip headers that use underscore characters before forwarding to Traefik, preventing the spoofing attempt.

Generated by OpenCVE AI on May 9, 2026 at 02:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5m6w-wvh7-57vm Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-289
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea2:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea3:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Title Traefik: Forwarded alias spoofing top pre-auth decision bypass
Weaknesses CWE-290
CWE-306
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T16:58:14.458Z

Reserved: 2026-04-07T19:13:20.379Z

Link: CVE-2026-39858

cve-icon Vulnrichment

Updated: 2026-05-04T16:58:09.098Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T21:16:32.313

Modified: 2026-05-01T17:44:36.067

Link: CVE-2026-39858

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-30T20:26:26Z

Links: CVE-2026-39858 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T02:15:06Z

Weaknesses