Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29054 is a vulnerability in Traefik, an HTTP reverse proxy and load balancer, related to how it handles the HTTP Connection header and X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port).'}, {'type': 'paragraph', 'content': 'Traefik tries to protect these headers from being removed by clients by checking the Connection header tokens against a protected list. However, this check is case-sensitive, while the actual header deletion is case-insensitive.'}, {'type': 'paragraph', 'content': "Because of this mismatch, an attacker can send lowercase Connection tokens (e.g., 'Connection: x-real-ip') to bypass the protection and cause Traefik to delete its managed X-Forwarded headers."}, {'type': 'paragraph', 'content': 'This vulnerability allows a remote unauthenticated attacker to remove trusted identity headers that downstream services rely on for authentication, authorization, routing, or scheme decisions.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is significant when downstream services depend on Traefik-managed X-Forwarded headers for security decisions.

• An attacker can remove headers like X-Real-Ip, which might be used for IP allowlisting, causing the downstream service to incorrectly trust requests.
• This can lead to bypassing access controls, unauthorized access, or incorrect routing decisions.
• Since the attacker is remote and unauthenticated, the risk is elevated as no credentials or privileges are needed.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring HTTP requests to Traefik for the presence of lowercase Connection header tokens that correspond to Traefik-managed X-Forwarded headers, such as 'connection: x-real-ip'. Sending such requests and observing whether the corresponding X-Forwarded headers are removed can confirm the vulnerability."}, {'type': 'paragraph', 'content': "A proof of concept involves sending an HTTP request with a lowercase Connection header token like 'connection: x-real-ip' and checking if the X-Real-Ip header is deleted by Traefik."}, {'type': 'paragraph', 'content': 'Specific commands to test this could include using curl to send crafted HTTP requests, for example:'}, {'type': 'list_item', 'content': 'curl -v -H "Connection: x-real-ip" -H "X-Real-Ip: 1.2.3.4" http://your-traefik-endpoint'}, {'type': 'list_item', 'content': 'Then inspect the response or logs to verify if the X-Real-Ip header was removed.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to upgrade Traefik to a patched version where this vulnerability is fixed. Specifically, upgrade to version 2.11.38 or later in the 2.11.x series, or version 3.6.9 or later in the 3.x series.

No workaround is available to mitigate this vulnerability without upgrading.

The fix involves canonicalizing Connection header tokens before comparison to ensure case-insensitive matching, preventing the removal of protected headers regardless of token casing.

Useful 0 Not Useful 0