CVE Catalog

CVE-2026-35051

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

A vulnerability in Traefik allows authentication bypass in the ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. The issue is fixed in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

Risk Assessment

An attacker can bypass the ForwardAuth authentication mechanism, leading to unauthorized access to protected resources and potential data confidentiality breaches.

Recommendation

Immediately upgrade Traefik to version 2.11.43, 3.6.14, or 3.7.0-rc.2. If upgrade is not possible, temporarily disable ForwardAuth or configure a trusted upstream proxy.

Original NVD description (English source)

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS