Impact
Traefik’s ForwardAuth middleware, when trustForwardHeader is set to false, derives the X‑Forwarded‑Port header sent to authentication services from request rather than from the sanitized forwarded request. This flaw enables an unauthenticated remote attacker to send an HTTP request that includes a forged X‑Forwarded‑Proto: https header, causing Traefik to forward X‑Forwarded‑Port: 443 to the downstream authentication service. Because the service relies on the port value for access control, the attacker can bypass the intended port‑based authorization check and gain privileged access. The identified as CWE‑345, Information Exposure through Manipulation of HTTP Headers.
Affected Systems
Systems running Traefik versions older than 2.11.51, 3.6.22, or 3.7.6 are affected. The ForwardAuth middleware in the Traefik HTTP reverse proxy and load‑balancing component is the target of this defect. Any deployment—whether container‑based, Docker‑Compose, or Helm chart—that uses this middleware should verify that the running version is at least the specified releases.
Risk and Exploitability
Traefik assigns a CVSS score of 6.9, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely by sending a crafted HTTP request through the reverse proxy; no additional authentication is required. Once the forwarded port is spoofed to 443, the downstream authentication service will erroneously permit access that it should deny, creating a clear security lapse. With no internal mitigation in the affected releases, the risk of exploitation remains plausible whenever untrusted clients can reach the proxy.
OpenCVE Enrichment