CVE-2026-26998

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.38 and 3.6.9

Description Traefik, an HTTP reverse proxy and load balancer, has a potential issue in how it manages responses from the ForwardAuth middleware. When configured to use ForwardAuth, the response body from the authentication server is read entirely into memory without any size limit. The absence of a maxResponseBodySize configuration allows an attacker to send an unexpectedly large or unbounded response body, potentially causing Traefik to allocate unlimited memory and crash due to an out-of-memory (OOM) condition. This results in a denial of service for all routes served by the affected Traefik instance. A proof-of-concept demonstrates that a malicious authentication server can cause Traefik to allocate gigabytes of memory, leading to a complete service outage.

Recommendations Traefik versions prior to 2.11.38 must be updated. Traefik versions prior to 3.6.9 must be updated.