CVE-2026-39858
Received Received - Intake
Authentication Bypass in Traefik Reverse Proxy

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitHub, Inc.

Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context β€” such as a trusted scheme or host β€” through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39858
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
traefik traefik 3.7.0
traefik traefik 3.7.0
traefik traefik to 2.11.43 (exc)
traefik traefik From 3.0.0 (inc) to 3.6.14 (exc)
traefik traefik 3.7.0
traefik traefik 3.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Traefik, an HTTP reverse proxy and load balancer, specifically in its ForwardAuth and snippet-based authentication middleware.

The issue arises because Traefik's forwarded-header sanitization logic only targets canonical header names with dashes (e.g., X-Forwarded-Proto) but does not sanitize alias headers that use underscores instead of dashes (e.g., X_Forwarded_Proto).

These unsanitized alias headers are forwarded unchanged to the authentication backend. If the backend treats underscore and dash header forms as equivalent, an attacker can inject spoofed trust context through these alias headers.

This allows the attacker to bypass authentication on protected routes without valid credentials.

The vulnerability has been fixed in Traefik versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

Impact Analysis

This vulnerability can allow an attacker to bypass authentication on protected routes of a Traefik deployment.

By injecting spoofed trust context via specially crafted headers, the attacker can gain unauthorized access to services behind Traefik without valid credentials.

This could lead to unauthorized access to sensitive data, unauthorized actions, and potential compromise of the protected systems.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Traefik to a patched version.

  • Upgrade to Traefik version 2.11.43 or later.
  • Upgrade to Traefik version 3.6.14 or later.
  • Upgrade to Traefik version 3.7.0-rc.2 or later.
Compliance Impact

This vulnerability allows attackers to bypass authentication and gain unauthorized access to protected routes, potentially exposing sensitive data or functionality.

Such unauthorized access can lead to breaches of confidentiality, which may result in non-compliance with data protection regulations and standards like GDPR and HIPAA that require strict access controls and protection of sensitive information.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by enabling unauthorized data access.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to Traefik for the presence of alias forwarded headers that use underscores instead of dashes, such as X_Forwarded_Proto, X_Forwarded_Host, or similar variants.

An effective detection method is to capture and inspect incoming HTTP headers to identify if any alias headers are being sent that Traefik might forward unsanitized to the authentication backend.

Suggested commands to detect such headers include using tools like tcpdump, tshark, or curl combined with grep to filter for these alias headers.

  • Using tcpdump to capture HTTP traffic and filter for alias headers: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'X_Forwarded_'
  • Using tshark to filter HTTP headers containing underscores: tshark -Y 'http.header matches "X_Forwarded_"' -T fields -e http.host -e http.header
  • Using curl to send requests with alias headers to test if the backend accepts them: curl -H 'X_Forwarded_Proto: https' -H 'X_Forwarded_Host: attacker.com' https://your-traefik-protected-endpoint

If such alias headers are accepted and result in bypassing authentication, it indicates the vulnerability is present.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart