Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when headerField is configured with a non-canonical HTTP header name (e.g., x-auth-user instead of X-Auth-User), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries - the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.
AnalysisAI
Traefik reverse proxy and load balancer versions prior to 2.11.42, 3.6.11, and 3.7.0-ea.3 allow authenticated attackers to inject canonical HTTP header names that override non-canonical headers configured via the headerField setting, enabling identity impersonation to backend systems. The vulnerability exploits HTTP header handling inconsistencies where backends read the attacker-supplied canonical header before Traefik's non-canonical configuration, permitting authentication bypass for any identity. Vendor-released patches are available for all affected major versions.
Technical ContextAI
Traefik (cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*) is an HTTP reverse proxy and load balancer that uses the headerField configuration parameter to inject authentication-related headers into upstream requests. The vulnerability manifests as a CWE-290 (Authentication Bypass by Spoofing) issue stemming from improper HTTP header canonicalization handling. When administrators configure non-canonical header names (e.g., x-auth-user in lowercase), Traefik writes the header in that form. However, HTTP header names are case-insensitive per RFC 7230, and many backend systems normalize headers to canonical form (e.g., X-Auth-User). An authenticated attacker with request injection capabilities can submit a request with the canonical version of the target header; since HTTP allows multiple header instances with the same name, the backend's header parsing logic reads the attacker-injected canonical header first, overriding Traefik's non-canonical write and enabling arbitrary identity assumption.
RemediationAI
Upgrade Traefik to version 2.11.42, 3.6.11, or 3.7.0-ea.3 or later depending on the major version in use (see https://github.com/traefik/traefik/releases/tag/v2.11.42, https://github.com/traefik/traefik/releases/tag/v3.6.11, and https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3). Until patching is feasible, audit all headerField configurations to ensure canonical HTTP header naming (e.g., X-Auth-User instead of x-auth-user) to reduce the surface for header injection; additionally, configure backend systems to reject or sanitize duplicate headers and implement strict input validation on authentication headers. Network segmentation limiting authenticated user access to Traefik instances is also recommended as a compensating control.
Traefik is an open source HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is re
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable
Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is
Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.8), this vulnerabil
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inheri
In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik
Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.1), this vulnerability is remotely explo
Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker
Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to ci
Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS re
Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resou
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16616
GHSA-qr99-7898-vr7c