CVE-2026-40912

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.43 Traefik versions prior to 3.6.14 Traefik versions prior to 3.7.0-rc.2

Description An authentication bypass exists in the StripPrefixRegex middleware when used with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches a regular expression against the decoded URL path but applies the resulting byte length to slice the percent-encoded raw path. If a dot or multiple dots are present in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g., /./admin/secret). ForwardAuth receives this dot-segment path in the X-Forwarded-Uri variable, which fails to match protected path patterns, allowing the request to pass. The backend then normalizes the dot-segment to the actual path according to RFC 3986 and serves the protected content. This can be exploited by an unauthenticated attacker against any backend that performs dot-segment normalization.

Recommendations Update to version 2.11.43. Update to version 3.6.14. Update to version 3.7.0-rc.2.