CVE-2026-54763
Received Received - Intake

Authentication Spoofing in Traefik Middleware

Vulnerability report for CVE-2026-54763, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which many backends normalize identically to dashed forms. An attacker able to reach a protected route can inject an underscore-variant header that survives Traefik's stripping and reaches the backend alongside, or on the unauthenticated ForwardAuth authResponseHeaders path instead of, the value Traefik intended to set, spoofing identity or authorization context. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
traefik traefik 2.11.51
traefik traefik 3.6.22
traefik traefik 3.7.6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Traefik, an HTTP reverse proxy and load balancer. Before certain fixed versions, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares would strip spoofed identity headers that use canonical casing before setting their own values. However, they did not account for headers with underscores, which many backend systems treat the same as headers with dashes.

An attacker who can access a protected route can inject headers with underscores that bypass Traefik's stripping process. These spoofed headers then reach the backend alongside or instead of the legitimate authentication headers set by Traefik, allowing the attacker to spoof identity or authorization context.

This issue was fixed in Traefik versions v2.11.51, v3.6.22, and v3.7.6.

Impact Analysis

This vulnerability can allow an attacker to spoof identity or authorization information by injecting specially crafted headers that bypass Traefik's authentication middleware protections.

As a result, unauthorized users might gain access to protected routes or resources, potentially leading to unauthorized data access, privilege escalation, or other security breaches within applications relying on Traefik for authentication.

Mitigation Strategies

To mitigate this vulnerability, upgrade Traefik to one of the fixed versions: v2.11.51, v3.6.22, or v3.7.6.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54763. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart