CVE Catalog

CVE-2026-39858

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile — higher than 38% of all known CVEs

Summary

In Traefik prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in ForwardAuth and snippet-based authentication middleware. The header sanitization logic does not strip alias variants with underscores (e.g., X_Forwarded_Proto), which are forwarded intact to the authentication backend, allowing an attacker to inject spoofed trust context.

Risk Assessment

An attacker without valid credentials can bypass authentication on protected routes, gaining unauthorized access to sensitive resources or services.

Recommendation

Immediately update Traefik to version 2.11.43, 3.6.14, or 3.7.0-rc.2. If updating is not possible, temporarily disable ForwardAuth or snippet-based middleware on protected routes.

Original NVD description (English source)

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS