In late April 2026, the Traefik team disclosed two back-to-back CVEs rated CVSS 10.0 affecting the ForwardAuth middleware — the central delegated authentication mechanism in the reverse proxy. When Traefik is deployed behind a presumed-trusted upstream, both flaws let an unauthenticated attacker impersonate a legitimate user or spoof the trust context, gaining access to every route protected by ForwardAuth.
Given Traefik's ubiquity in modern infrastructure (Kubernetes, Docker Swarm, microservices, edge), these CVEs must be treated as top-priority by every SRE and DevSecOps team.
Technical Details
CVE-2026-35051 — Bypass via trustForwardHeader=false
When trustForwardHeader=false is explicitly set on the ForwardAuth middleware and Traefik is deployed behind a trusted upstream proxy, the header filtering logic does not behave as expected. An attacker can inject their own X-Forwarded-* headers that are forwarded to the auth backend, making it believe the request originates from a trusted context.
- CVSS 3.1: 10.0 (CRITICAL)
- Vector:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N - Scope changed: the vulnerability impacts components beyond Traefik itself, justifying the maximum score
- CWE: improper authentication
CVE-2026-39858 — Bypass via underscore alias headers
Traefik's header sanitization only targets canonical names (X-Forwarded-Proto, X-Forwarded-Host...) and does not normalize the underscore alias variants (X_Forwarded_Proto, X_Forwarded_Host). These alias headers are forwarded as-is to the auth backend.
When the backend normalizes underscore and dash forms equivalently — which Apache, Nginx in FastCGI mode, and most Python/Node.js frameworks do — an attacker can inject a forged trust context and bypass authentication on protected routes without any valid credentials.
- CVSS 3.1: 10.0 (CRITICAL)
- Same vector as CVE-2026-35051:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Why a 10.0 score?
The S:C (Changed) scope indicates that exploitation impacts a different component from the one containing the vulnerability — here, the backend services protected behind Traefik. This pushes the score to its maximum, on top of the complete absence of prerequisites (network access, low complexity, no auth, no user interaction).
Affected Products and Versions
| Component | Affected versions | Patched version |
|---|---|---|
| Traefik 2.x | < 2.11.43 | 2.11.43 |
| Traefik 3.x stable | < 3.6.14 | 3.6.14 |
| Traefik 3.7 release candidate | < 3.7.0-rc.2 | 3.7.0-rc.2 |
Both CVEs are fixed in the same versions.
Exploitation and Impact
Exploitation conditions
For CVE-2026-35051: trustForwardHeader=false configured on the ForwardAuth middleware + Traefik behind an upstream proxy.
For CVE-2026-39858: no specific condition on the Traefik side. The auth backend simply needs to normalize underscore and dash headers equivalently.
What an attacker can do
- Completely bypass authentication on every route protected by ForwardAuth
- Access internal admin dashboards (Grafana, Kibana, Prometheus, Portainer...) sitting behind Traefik
- Reach business APIs with a forged authenticated user context
- Pivot toward secrets injected by the auth middleware (JWTs,
X-User-*headers)
Public exploit
As of writing, no public PoC has been released for either CVE, but the simplicity of the exploitation (HTTP header injection) means tools like curl or Burp are enough to reproduce the attack once the mechanism is understood.
Note: neither CVE is yet listed in the CISA KEV catalog, but given Traefik's role as a critical infrastructure component for many government and CSP deployments, addition in the coming weeks is likely.
Detection and IOCs
Traefik logs to monitor
# Enable JSON access logs and capture headers
[accessLog]
filePath = "/var/log/traefik/access.log"
format = "json"
fields.headers.defaultMode = "keep"
Hunt in access.log for:
- Underscore alias headers:
X_Forwarded_Proto,X_Forwarded_Host,X_Forwarded_For - 200/302 responses on ForwardAuth-protected routes from IPs not previously authenticated
- Abnormal request volume hitting
/author middleware endpoints
Sigma hunt rule
title: Traefik ForwardAuth header smuggling
logsource:
product: traefik
service: access
detection:
selection:
request_headers|contains:
- 'X_Forwarded_Proto'
- 'X_Forwarded_Host'
- 'X_Forwarded_For'
condition: selection
level: high
Network indicators
- HTTP requests with underscore headers from external IPs (not known upstream proxies)
- Abnormal traffic to backend services typically protected (admin dashboards, internal APIs)
Mitigation and Patch
Immediate action: patch
# Docker
docker pull traefik:v2.11.43
docker pull traefik:v3.6.14
# Helm chart Kubernetes
helm upgrade traefik traefik/traefik \
--version <matching-chart-version> \
--set image.tag=v3.6.14
Temporary workaround (if patching is delayed)
At the edge or on the upstream proxy (Nginx, Apache, HAProxy) in front of Traefik, strip every underscore alias header before it reaches Traefik:
# Nginx
proxy_set_header X_Forwarded_For "";
proxy_set_header X_Forwarded_Host "";
proxy_set_header X_Forwarded_Proto "";
underscores_in_headers off;
# Apache
RequestHeader unset X_Forwarded_For
RequestHeader unset X_Forwarded_Host
RequestHeader unset X_Forwarded_Proto
Long-term hardening
- Set
trustForwardHeader=trueonly when your architecture includes a controlled upstream proxy that owns the headers - On the auth backend, explicitly reject requests containing underscore headers rather than normalizing them
- Use an upstream IP allowlist at the ForwardAuth middleware level (
trustedIPsoption)
Why Continuous Monitoring Matters
Traefik is the critical entry point for thousands of organizations. A patch is only effective once deployed — yet experience shows that a significant share of the fleet remains on vulnerable versions months after disclosure. Automated monitoring of your Traefik inventory means you are alerted the moment a new CVE affects one of your deployed versions, without relying on manual watch.
With cveo.tech, register your Traefik instances in your asset inventory and receive automatic email alerts whenever a CVSS ≥ 9.0 CVE hits one of your versions — so you never discover a critical flaw two weeks after the attackers.