CVE-2026-35051
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
A vulnerability in Traefik allows authentication bypass in the ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. The issue is fixed in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Risk Assessment
An attacker can bypass the ForwardAuth authentication mechanism, leading to unauthorized access to protected resources and potential data confidentiality breaches.
Recommendation
Immediately upgrade Traefik to version 2.11.43, 3.6.14, or 3.7.0-rc.2. If upgrade is not possible, temporarily disable ForwardAuth or configure a trusted upstream proxy.
Original NVD description (English source)
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

