Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request's complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them. This vulnerability is fixed in 2.11.44, 3.6.15, and 3.7.0-rc.3.
Published: 2026-05-15
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Traefik errors middleware wrongly forwards the complete set of request headers—including Authorization, Cookie, and other authentication tokens—to the separate error page service when a backend response matches the configured status range. The documentation denotes that only the Host header is forwarded by default, so operators are not warned that sensitive credentials are being shared across service boundaries. This unexpected exposure of authentication material could allow attackers to obtain user credentials from the error page service, and based on the description it is inferred that this might enable session hijacking or impersonation, although such exploits are not explicitly reported in the provided data.

Affected Systems

Traefik versions before 2.11.44, 3.6.15, and 3.7.0‑rc.3 are impacted when the errors middleware is enabled with a distinct error page service.

Risk and Exploitability

The CVSS score of 6.9 reflects moderate severity. The EPSS score is not available, implying no publicly known exploitation data. The vulnerability is not listed in the CISA KEV catalog. The suspect attack vector is an attacker‑controlled or compromised error page service that receives forwarded authentication headers, inferred from the description; exploitation requires that the errors middleware is active and a backend response triggers the error handling path. No public exploit has been reported for this issue.

Generated by OpenCVE AI on May 15, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Traefik v2.11.44 or later, v3.6.15 or later, or v3.7.0‑rc.3 or later to eliminate the header forwarding bug.
  • Restrict network access to the custom error page service so that only trusted internal components can communicate with it, preventing external attackers from intercepting forwarded credentials.
  • Monitor the error page service for unexpected Authorization or Cookie headers to detect misconfigurations or compromises.

Generated by OpenCVE AI on May 15, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p6hg-qh38-555r Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service
History

Sat, 16 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Fri, 15 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request's complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them. This vulnerability is fixed in 2.11.44, 3.6.15, and 3.7.0-rc.3.
Title Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service
Weaknesses CWE-201
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Traefik Traefik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-16T01:11:03.867Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41181

cve-icon Vulnrichment

Updated: 2026-05-16T01:10:58.678Z

cve-icon NVD

Status : Received

Published: 2026-05-15T17:16:46.320

Modified: 2026-05-15T17:16:46.320

Link: CVE-2026-41181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T18:00:05Z

Weaknesses