Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Published: 2026-04-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Traefik’s handling of forwarded headers used by ForwardAuth and snippet-based authentication middleware. The sanitization logic removes only canonical header names such as X-Forwarded-Proto, but it fails to strip or normalize alias forms that replace dashes with underscores. As a result, an attacker can send headers like X_Forwarded_Proto to inject a forged trust context, which the authentication backend normalizes equivalently. This allows bypassing authentication on protected routes without valid credentials.

Affected Systems

Affected systems are Traefik installations provided by the traefik:traefik vendor. Any deployment running Traefik 2.x before v2.11.43 and any 3.x before v3.6.14 or v3.7.0-rc.2 is vulnerable. The fix is included in the releases 2.11.43, 3.6.14, and 3.7.0-rc.2.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity assessment. Because the exploit only requires crafting an HTTP request with underscore‑based header aliases, no special privileges or internal access are needed, making it relatively easy to execute. The EPSS score is not available, but the lack of this data does not diminish the likelihood of exploitation; the vulnerability is not yet listed in CISA KEV. An attacker can trigger the bypass by sending a request to the Traefik front‑end, so organizations using the affected versions should apply the patch promptly.

Generated by OpenCVE AI on May 1, 2026 at 04:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 2.11.43, 3.6.14, or 3.7.0-rc.2 or later, which contain the fix for header alias sanitization.
  • If an upgrade is not immediately possible, disable the ForwardAuth or snippet-based authentication middleware for protected routes, or enforce stricter header validation at the backend to reject underscore‑based aliases.
  • Configure network firewalls or API gateways to block or strip headers that use underscore characters before forwarding to Traefik, preventing the spoofing attempt.

Generated by OpenCVE AI on May 1, 2026 at 04:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea2:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea3:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Title Traefik: Forwarded alias spoofing top pre-auth decision bypass
Weaknesses CWE-290
CWE-306
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-30T20:26:26.300Z

Reserved: 2026-04-07T19:13:20.379Z

Link: CVE-2026-39858

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T21:16:32.313

Modified: 2026-05-01T17:44:36.067

Link: CVE-2026-39858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:00:12Z

Weaknesses