Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret). ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Published: 2026-04-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik's StripPrefixRegex middleware incorrectly slices the percent-encoded raw path based on the decoded path length. When a prefix contains one or more dots, the resulting stripped raw path becomes a dot‑segment such as "/./admin/secret". Forward authentication mechanisms receive this dot‑segment in the X‑Forwarded‑Uri header, which does not match the intended protected path patterns, allowing the request to pass through the authentication layer. The backend then normalizes the dot‑segment to the real path and serves protected content to an unauthenticated attacker. This is an authentication bypass via a path desynchronization flaw (CWE‑706).

Affected Systems

The vulnerability affects Traefik versions older than 2.11.43, 3.6.14, and 3.7.0‑rc.2. Any deployment that uses the StripPrefixRegex middleware together with ForwardAuth, BasicAuth, or DigestAuth is at risk. Systems running Traefik 2.x or 3.x prior to the patched releases are vulnerable.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity, while the EPSS score is currently unavailable. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this by crafting an HTTP request with a dot‑segment in the prefix of the URL, a technique that requires network access to the Traefik instance. If the backend normalizes dot‑segments (as required by RFC 3986), the protected resources are returned without authentication.

Generated by OpenCVE AI on May 2, 2026 at 00:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to version 2.11.43, 3.6.14, or 3.7.0‑rc.2 or later
  • If an immediate upgrade is not possible, temporarily disable the StripPrefixRegex middleware for routes that rely on authentication
  • Configure the ForwardAuth service to reject dot‑segment paths or enforce path normalization before the authentication step

Generated by OpenCVE AI on May 2, 2026 at 00:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea2:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:ea3:*:*:*:*:*:*
cpe:2.3:a:traefik:traefik:3.7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret). ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Title Traefik: StripPrefixRegex auth bypass via Path/RawPath desync
Weaknesses CWE-706
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-01T14:54:06.078Z

Reserved: 2026-04-15T16:37:22.768Z

Link: CVE-2026-40912

cve-icon Vulnrichment

Updated: 2026-05-01T14:53:40.695Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T21:16:32.740

Modified: 2026-05-01T17:42:32.060

Link: CVE-2026-40912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:30:16Z

Weaknesses