Severity by source
Sources disagree (Low–High)CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorVendor: https://github.com/traefik/traefik
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
Summary
There is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context - such as a trusted scheme or host - through the alias headers and bypass authentication on protected routes without valid credentials.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.43
- https://github.com/traefik/traefik/releases/tag/v3.6.14
- https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
For more information
If there are any questions or comments about this advisory, please open an issue.
<details> <summary>Original Description</summary>
Summary
An authentication bypass arises from chaining two bugs: incomplete forwarded-header sanitization at ingress and overly permissive header forwarding in pre-auth subrequests. While canonical X-Forwarded-* headers are handled, alias variants (e.g., underscore forms) are neither normalized nor stripped consistently. When downstream auth services normalize these headers, attackers can inject trusted context and bypass authentication on protected routes without credentials.
Details
This issue results from the interaction between forwarded-header handling and auth subrequest construction, creating a trust boundary mismatch.
At ingress, Traefik defines a fixed set of canonical forwarded headers (X-Forwarded-Proto, X-Forwarded-For, etc.):
Reference : pkg/middlewares/forwardedheaders/forwarded_header.go#L29-L36
var xHeaders = []string{
xForwardedProto,
xForwardedFor,
xForwardedHost,
xForwardedPort,This logic focuses exclusively on canonical header names and does not account for alias forms such as X_Forwarded_Proto. As a result, while standard headers may be sanitized or rewritten, semantically equivalent variants can pass through unchanged.
During ForwardAuth processing, request headers are copied wholesale into the auth subrequest:
Reference : pkg/middlewares/auth/forward.go#L401-L408
utils.CopyHeaders(forwardReq.Header, req.Header)
RemoveConnectionHeaders(forwardReq)
utils.RemoveHeaders(forwardReq.Header, hopHeaders...)This implementation forwards nearly all client-supplied headers to the auth backend, with filtering limited to hop-by-hop headers. There is no normalization or deduplication between canonical and alias header forms, meaning attacker-controlled headers can reach the auth service intact.
A similar pattern exists in snippet-based auth:
Reference : pkg/middlewares/ingressnginx/snippet/snippet.go#L574-L581
utils.CopyHeaders(forwardReq.Header, req.Header)
RemoveConnectionHeaders(forwardReq)
utils.RemoveHeaders(forwardReq.Header, hopHeaders...)Again, headers are forwarded without enforcing a consistent trust model or canonicalization.
The vulnerability emerges when the auth backend normalizes header names (e.g., treating X_Forwarded_Proto and X-Forwarded-Proto equivalently). In that case:
- Traefik sanitizes only canonical headers.
- Alias headers remain attacker-controlled.
- The auth service merges or evaluates these aliases during normalization.
- Trust predicates (e.g., scheme = HTTPS, trusted host) are satisfied using spoofed values.
This allows a single crafted request to simultaneously bypass ingress trust enforcement and satisfy authentication checks, resulting in unauthorized access to protected backends.
PoC
- Configure a protected route using ForwardAuth or snippet-based auth, with an auth backend that normalizes header names (underscore ↔ dash).
- Send a control request (expected: denied):
GET / HTTP/1.1
Host: target.local
User-Agent: poc-control
Connection: close- Send an exploit request with alias headers (expected: allowed):
GET /protected HTTP/1.1
Host: app.example.local
X_Forwarded_Proto: https
X_Forwarded_Host: trusted.example
Connection: closeImpact
This vulnerability allows unauthenticated attackers to bypass authentication at the proxy-to-auth boundary by injecting spoofed trust context through header aliases. In deployments where authorization decisions depend on forwarded headers, attackers can access protected endpoints and interact with backend services as if they were fully authenticated. This effectively undermines ForwardAuth and similar mechanisms, potentially exposing sensitive internal functionality and data.
Suggested Remediation
- Strip and regenerate both canonical and alias forms of forwarded headers consistently at ingress and during auth subrequests.
- Apply a unified normalization policy across all forwarded header families (including RFC7239 and
X-Forwarded-*). - Restrict which headers are forwarded to auth services (prefer explicit allowlists).
- Add regression tests covering alias normalization inconsistencies across common backend frameworks.
</details>
---
AnalysisAI
Authentication bypass in Traefik Proxy's ForwardAuth and snippet-based authentication middleware allows remote unauthenticated attackers to access protected routes by exploiting incomplete header sanitization. Traefik sanitizes canonical forwarded headers (X-Forwarded-Proto) but fails to strip underscore-based aliases (X_Forwarded_Proto). When authentication backends normalize these header variants equivalently, attackers can inject spoofed trust context through alias headers to satisfy authentication checks without valid credentials. Patches released for versions 2.11.43, 3.6.14, and 3.7.0-rc.2. No public exploit identified at time of analysis, though the detailed technical disclosure in the GitHub advisory provides sufficient implementation details for reproduction.
Technical ContextAI
This vulnerability stems from inconsistent trust boundary enforcement between Traefik's ingress header handling and ForwardAuth subrequest construction. Traefik implements a fixed allowlist of canonical forwarded headers (X-Forwarded-Proto, X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Port) for sanitization but lacks normalization logic for semantically equivalent underscore variants. The ForwardAuth middleware copies nearly all client headers to authentication subrequests using utils.CopyHeaders(), filtering only hop-by-hop headers without canonicalizing header names. This creates a normalization mismatch: when downstream authentication services treat X_Forwarded_Proto and X-Forwarded-Proto as equivalent (common in frameworks that normalize header names per HTTP/CGI conventions), attacker-controlled alias headers can override Traefik-sanitized canonical headers. The root cause maps to CWE-290 (Authentication Bypass by Spoofing) where the trust decision depends on client-controllable metadata that undergoes inconsistent validation across system boundaries. Similar patterns exist in snippet-based authentication middleware, indicating systemic header handling gaps rather than isolated implementation flaws.
RemediationAI
Upgrade immediately to patched versions: Traefik v2.11.43 for v2.x deployments, v3.6.14 for v3.6.x deployments, or v3.7.0-rc.2 for v3.7.x pre-release users. Download from official GitHub releases at https://github.com/traefik/traefik/releases. The patches implement comprehensive header canonicalization that strips both canonical and underscore-variant forwarded headers before regenerating them from trusted sources. For environments where immediate patching is not feasible, implement compensating controls at the authentication backend layer: configure strict header parsing that rejects underscore variants or implement explicit allowlisting of only canonical header names. Authentication backends should validate that critical trust headers (X-Forwarded-Proto, X-Forwarded-Host) use only dash-separated canonical forms. Note this workaround shifts trust validation to the backend and may break legitimate clients if underscore headers are used elsewhere; test thoroughly before production deployment. Consider placing an additional WAF or request filter in front of Traefik to block requests containing X_Forwarded_* patterns, though this adds latency and complexity. No workaround fully substitutes for patching - the fundamental trust boundary issue requires the vendor fix.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: LowShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26427
GHSA-5m6w-wvh7-57vm