Description
Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's ForwardAuth middleware, even when configured with trustForwardHeader: false, derives the X-Forwarded-Port header sent to the authentication service from the original incoming request instead of the sanitized forwarded request. As a result, an unauthenticated remote attacker can inject an X-Forwarded-Proto: https header over a plain HTTP connection and cause Traefik to forward X-Forwarded-Port: 443 to the authentication service, bypassing port-based authorization checks. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6.
Published: 2026-07-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik’s ForwardAuth middleware, when trustForwardHeader is set to false, derives the X‑Forwarded‑Port header sent to authentication services from request rather than from the sanitized forwarded request. This flaw enables an unauthenticated remote attacker to send an HTTP request that includes a forged X‑Forwarded‑Proto: https header, causing Traefik to forward X‑Forwarded‑Port: 443 to the downstream authentication service. Because the service relies on the port value for access control, the attacker can bypass the intended port‑based authorization check and gain privileged access. The identified as CWE‑345, Information Exposure through Manipulation of HTTP Headers.

Affected Systems

Systems running Traefik versions older than 2.11.51, 3.6.22, or 3.7.6 are affected. The ForwardAuth middleware in the Traefik HTTP reverse proxy and load‑balancing component is the target of this defect. Any deployment—whether container‑based, Docker‑Compose, or Helm chart—that uses this middleware should verify that the running version is at least the specified releases.

Risk and Exploitability

Traefik assigns a CVSS score of 6.9, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely by sending a crafted HTTP request through the reverse proxy; no additional authentication is required. Once the forwarded port is spoofed to 443, the downstream authentication service will erroneously permit access that it should deny, creating a clear security lapse. With no internal mitigation in the affected releases, the risk of exploitation remains plausible whenever untrusted clients can reach the proxy.

Generated by OpenCVE AI on July 7, 2026 at 05:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traefik to v2.11.51 or later, or to v3.6.22 or later, or v3.7.6 or later to eliminate the incorrect port derivation bug.
  • If an immediate upgrade is not possible, block or strip any X‑Forwarded‑Proto header from client traffic before it reaches Traefik so that the proxy can only use inbound request information to determine the original port.
  • Validate the ForwardAuth middleware configuration by setting trustForwardHeader: true a trusted upstream and ensure no untrusted X‑Forwarded‑Proto headers are exposed to external clients; otherwise avoid using ForwardAuth for services that rely on port‑based authentication.

Generated by OpenCVE AI on July 7, 2026 at 05:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Traefik
Traefik traefik
Vendors & Products Traefik
Traefik traefik

Mon, 06 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Description Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's ForwardAuth middleware, even when configured with trustForwardHeader: false, derives the X-Forwarded-Port header sent to the authentication service from the original incoming request instead of the sanitized forwarded request. As a result, an unauthenticated remote attacker can inject an X-Forwarded-Proto: https header over a plain HTTP connection and cause Traefik to forward X-Forwarded-Port: 443 to the authentication service, bypassing port-based authorization checks. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6.
Title ForwardAuth middleware leaks X-Forwarded-Port spoofing via untrusted X-Forwarded-Proto when trustForwardHeader=false
Weaknesses CWE-345
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-07T14:03:17.886Z

Reserved: 2026-06-15T23:12:41.966Z

Link: CVE-2026-54764

cve-icon Vulnrichment

Updated: 2026-07-07T14:03:14.403Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T05:30:04Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity