CVE-2026-29054
Case-Sensitive Header Handling Flaw in Traefik Enables Header Manipulation
Publication date: 2026-03-05
Last updated on: 2026-03-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traefik | traefik | From 2.11.9 (inc) to 2.11.38 (exc) |
| traefik | traefik | From 3.1.3 (inc) to 3.6.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-29054 is a vulnerability in Traefik, an HTTP reverse proxy and load balancer, related to how it handles the HTTP Connection header and X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port).'}, {'type': 'paragraph', 'content': 'Traefik tries to protect these headers from being removed by clients by checking the Connection header tokens against a protected list. However, this check is case-sensitive, while the actual header deletion is case-insensitive.'}, {'type': 'paragraph', 'content': "Because of this mismatch, an attacker can send lowercase Connection tokens (e.g., 'Connection: x-real-ip') to bypass the protection and cause Traefik to delete its managed X-Forwarded headers."}, {'type': 'paragraph', 'content': 'This vulnerability allows a remote unauthenticated attacker to remove trusted identity headers that downstream services rely on for authentication, authorization, routing, or scheme decisions.'}] [1]
How can this vulnerability impact me? :
The impact of this vulnerability is significant when downstream services depend on Traefik-managed X-Forwarded headers for security decisions.
- An attacker can remove headers like X-Real-Ip, which might be used for IP allowlisting, causing the downstream service to incorrectly trust requests.
- This can lead to bypassing access controls, unauthorized access, or incorrect routing decisions.
- Since the attacker is remote and unauthenticated, the risk is elevated as no credentials or privileges are needed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring HTTP requests to Traefik for the presence of lowercase Connection header tokens that correspond to Traefik-managed X-Forwarded headers, such as 'connection: x-real-ip'. Sending such requests and observing whether the corresponding X-Forwarded headers are removed can confirm the vulnerability."}, {'type': 'paragraph', 'content': "A proof of concept involves sending an HTTP request with a lowercase Connection header token like 'connection: x-real-ip' and checking if the X-Real-Ip header is deleted by Traefik."}, {'type': 'paragraph', 'content': 'Specific commands to test this could include using curl to send crafted HTTP requests, for example:'}, {'type': 'list_item', 'content': 'curl -v -H "Connection: x-real-ip" -H "X-Real-Ip: 1.2.3.4" http://your-traefik-endpoint'}, {'type': 'list_item', 'content': 'Then inspect the response or logs to verify if the X-Real-Ip header was removed.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade Traefik to a patched version where this vulnerability is fixed. Specifically, upgrade to version 2.11.38 or later in the 2.11.x series, or version 3.6.9 or later in the 3.x series.
No workaround is available to mitigate this vulnerability without upgrading.
The fix involves canonicalizing Connection header tokens before comparison to ensure case-insensitive matching, preventing the removal of protected headers regardless of token casing.