CVE-2026-41181

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.44 Traefik versions prior to 3.6.15 Traefik versions prior to 3.7.0-rc.3

Description An information disclosure issue exists in the errors (custom error pages) middleware. When a backend returns a response matching the configured status range, the middleware forwards the complete set of original request headers to the separate error page service. This includes sensitive authentication material such as Authorization and Cookie headers, despite documentation stating only that the Host header is forwarded by default. This behavior can inadvertently expose end-user credentials to infrastructure not intended to receive them, potentially leading to unauthorized API access or account compromise if the error service is shared or logged extensively.

Recommendations Update to version 2.11.44 or later. Update to version 3.6.15 or later. Update to version 3.7.0-rc.3 or later.