CVE-2026-40912
Authentication Bypass in Traefik StripPrefixRegex Middleware
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traefik | traefik | 3.7.0 |
| traefik | traefik | 3.7.0 |
| traefik | traefik | to 2.11.43 (exc) |
| traefik | traefik | From 3.0.0 (inc) to 3.6.14 (exc) |
| traefik | traefik | 3.7.0 |
| traefik | traefik | 3.7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-706 | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Traefik's StripPrefixRegex middleware when used with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches a regex against the decoded URL path but slices the raw percent-encoded path based on the decoded length. If the URL prefix contains dot segments (like /./admin/secret), the raw path after stripping becomes a dot-segment. ForwardAuth then receives this altered path in the X-Forwarded-Uri header, which does not match the protected path patterns, allowing the request to bypass authentication. The backend normalizes the dot-segment to the real path and serves protected content without proper authentication.
How can this vulnerability impact me? :
An unauthenticated attacker can exploit this vulnerability to bypass authentication and access protected backend content. This means sensitive or restricted information could be exposed without proper authorization, potentially leading to data breaches or unauthorized actions within the affected system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Traefik versions 2.11.43, 3.6.14, and 3.7.0-rc.2. Immediate mitigation involves upgrading your Traefik installation to one of these fixed versions or later.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests that include percent-encoded dots (e.g., %2e) in the URL path prefix when Traefik's StripPrefixRegex middleware is used with ForwardAuth, BasicAuth, or DigestAuth.
Specifically, look for requests where the X-Forwarded-Uri header contains dot-segment paths (e.g., /./admin/secret) that bypass authentication.
To detect exploitation attempts, you can use network traffic inspection or web server logs to search for URLs with encoded dots in the prefix portion.
- Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for URLs containing '%2e' or similar percent-encoded dots.
- Search web server or proxy logs for requests with patterns like '/%2e/' or '/./' in the URL path.
- Example command to search logs: grep -E '%2e|/\./' /var/log/traefik/access.log
- Example tcpdump command to capture HTTP requests with encoded dots: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '%2e'
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to bypass authentication and access protected content by exploiting a flaw in URL path handling. This unauthorized access to protected resources could lead to exposure of sensitive data.
Such unauthorized access may result in non-compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.