PT-2026-36178 · Traefik · Traefik
Fancymalware
·
Published
2026-04-22
·
Updated
2026-06-05
·
CVE-2026-39858
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Traefik versions prior to 2.11.43
Traefik versions prior to 3.6.14
Traefik versions prior to 3.7.0-rc.2
Description
An authentication bypass exists in the ForwardAuth and snippet-based authentication middleware. The forwarded-header sanitization logic only targets canonical header names and fails to strip or normalize alias variants that use underscores instead of dashes (e.g.,
X Forwarded Proto instead of X-Forwarded-Proto). These unsanitized alias headers are forwarded to the authentication backend. If the backend treats underscore and dash forms as equivalent, an attacker can inject spoofed trust context, such as a trusted scheme or host, to bypass authentication on protected routes without valid credentials.Recommendations
Update to version 2.11.43.
Update to version 3.6.14.
Update to version 3.7.0-rc.2.
Fix
Authentication Bypass by Spoofing
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Traefik