CVE-2026-54764
Received Received - Intake

Forward Header Injection in Traefik Reverse Proxy

Vulnerability report for CVE-2026-54764, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's ForwardAuth middleware, even when configured with trustForwardHeader: false, derives the X-Forwarded-Port header sent to the authentication service from the original incoming request instead of the sanitized forwarded request. As a result, an unauthenticated remote attacker can inject an X-Forwarded-Proto: https header over a plain HTTP connection and cause Traefik to forward X-Forwarded-Port: 443 to the authentication service, bypassing port-based authorization checks. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
traefik traefik to 2.11.51 (exc)
traefik traefik to 3.6.22 (exc)
traefik traefik to 3.7.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Traefik's ForwardAuth middleware in versions prior to v2.11.51, v3.6.22, and v3.7.6. Even when configured with trustForwardHeader set to false, the middleware incorrectly derives the X-Forwarded-Port header from the original incoming request instead of the sanitized forwarded request.

An unauthenticated remote attacker can exploit this by injecting an X-Forwarded-Proto: https header over a plain HTTP connection. This causes Traefik to forward X-Forwarded-Port: 443 to the authentication service, effectively bypassing port-based authorization checks.

Impact Analysis

The vulnerability allows an unauthenticated remote attacker to bypass port-based authorization checks by manipulating headers. This can lead to unauthorized access to services that rely on Traefik's ForwardAuth middleware for authentication.

Such unauthorized access could compromise the security of applications behind the proxy, potentially exposing sensitive data or allowing further exploitation within the network.

Mitigation Strategies

To mitigate this vulnerability, upgrade Traefik to one of the fixed versions: v2.11.51, v3.6.22, or v3.7.6.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54764. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart