CVE-2026-29054

Name of the Vulnerable Software and Affected Versions Traefik versions 2.11.9 through 2.11.37 Traefik versions 3.1.3 through 3.6.8

Description Traefik, an HTTP reverse proxy and load balancer, has an issue in how it manages the Connection header in conjunction with X-Forwarded headers. When processing HTTP/1.1 requests, the protection against removing Traefik-managed X-Forwarded headers (like X-Real-Ip, X-Forwarded-Host, and X-Forwarded-Port) via the Connection header is not case-sensitive. The system compares Connection tokens case-sensitively, but the header deletion is case-insensitive. This allows a remote, unauthenticated client to bypass the protection by using lowercase Connection tokens (e.g., Connection: x-real-ip) to remove the Traefik-managed forwarded identity headers. This could impact downstream services that rely on these headers for authentication, authorization, routing, or scheme decisions.

Recommendations Traefik versions 2.11.9 through 2.11.37 should be updated to version 2.11.38 or later. Traefik versions 3.1.3 through 3.6.8 should be updated to version 3.6.9 or later.