CVE-2026-33433

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.42 Traefik versions prior to 3.6.12 Traefik versions prior to 3.7.0-ea.3

Description Traefik, an HTTP reverse proxy and load balancer, is susceptible to an identity impersonation issue. When the headerField configuration option is used with a non-canonical HTTP header name (for example, x-auth-user instead of X-Auth-User), an authenticated attacker can inject a canonical version of that header. This allows the attacker to impersonate any identity to the backend service. The backend receives two header entries, with the attacker-injected canonical version being read first, overriding Traefik's non-canonical write. This issue affects the Basic and Digest authentication middlewares. The vulnerability occurs because Traefik writes the authenticated username using a non-canonical map key, creating a separate header entry instead of overwriting the attacker's canonical one.

Recommendations Traefik versions prior to 2.11.42 should be updated to version 2.11.42 or later. Traefik versions prior to 3.6.12 should be updated to version 3.6.12 or later. Traefik versions prior to 3.7.0-ea.3 should be updated to version 3.7.0-ea.3 or later.