Skip to main content

Traefik CVE-2026-33433

| EUVDEUVD-2026-16616 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-03-27 GitHub_M GHSA-qr99-7898-vr7c
5.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.7 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 14:30 euvd
EUVD-2026-16616
Analysis Generated
Mar 27, 2026 - 14:30 vuln.today
CVE Published
Mar 27, 2026 - 13:49 nvd
MEDIUM 5.1

DescriptionCVE.org

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when headerField is configured with a non-canonical HTTP header name (e.g., x-auth-user instead of X-Auth-User), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries - the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.

AnalysisAI

Traefik reverse proxy and load balancer versions prior to 2.11.42, 3.6.11, and 3.7.0-ea.3 allow authenticated attackers to inject canonical HTTP header names that override non-canonical headers configured via the headerField setting, enabling identity impersonation to backend systems. The vulnerability exploits HTTP header handling inconsistencies where backends read the attacker-supplied canonical header before Traefik's non-canonical configuration, permitting authentication bypass for any identity. Vendor-released patches are available for all affected major versions.

Technical ContextAI

Traefik (cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*) is an HTTP reverse proxy and load balancer that uses the headerField configuration parameter to inject authentication-related headers into upstream requests. The vulnerability manifests as a CWE-290 (Authentication Bypass by Spoofing) issue stemming from improper HTTP header canonicalization handling. When administrators configure non-canonical header names (e.g., x-auth-user in lowercase), Traefik writes the header in that form. However, HTTP header names are case-insensitive per RFC 7230, and many backend systems normalize headers to canonical form (e.g., X-Auth-User). An authenticated attacker with request injection capabilities can submit a request with the canonical version of the target header; since HTTP allows multiple header instances with the same name, the backend's header parsing logic reads the attacker-injected canonical header first, overriding Traefik's non-canonical write and enabling arbitrary identity assumption.

RemediationAI

Upgrade Traefik to version 2.11.42, 3.6.11, or 3.7.0-ea.3 or later depending on the major version in use (see https://github.com/traefik/traefik/releases/tag/v2.11.42, https://github.com/traefik/traefik/releases/tag/v3.6.11, and https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3). Until patching is feasible, audit all headerField configurations to ensure canonical HTTP header naming (e.g., X-Auth-User instead of x-auth-user) to reduce the surface for header injection; additionally, configure backend systems to reject or sanitize duplicate headers and implement strict input validation on authentication headers. Network segmentation limiting authenticated user access to Traefik instances is also recommended as a compensating control.

CVE-2023-47633 HIGH POC
7.5 Dec 04

Traefik is an open source HTTP reverse proxy and load balancer. Rated high severity (CVSS 7.5), this vulnerability is re

CVE-2019-12452 HIGH POC
7.5 May 29

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable

CVE-2023-47106 MEDIUM POC
6.5 Dec 04

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2022-23469 MEDIUM POC
6.5 Dec 08

Traefik is an open source HTTP reverse proxy and load balancer. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2025-32431 HIGH
8.8 Apr 21

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2023-54365 HIGH
8.7 Jun 23

Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inheri

CVE-2020-15129 MEDIUM POC
4.7 Jul 30

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik

CVE-2021-32813 HIGH
8.1 Aug 03

Traefik is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.1), this vulnerability is remotely explo

CVE-2026-54763 HIGH
7.8 Jul 06

Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker

CVE-2026-32305 HIGH
7.8 Mar 20

Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to ci

CVE-2026-26999 HIGH
7.5 Mar 05

Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS re

CVE-2026-25949 HIGH
7.5 Feb 12

Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resou

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy