Skip to main content

Traefik CVE-2026-40912

| EUVDEUVD-2026-26428 HIGH
Use of Incorrectly-Resolved Name or Reference (CWE-706)
2026-04-24 https://github.com/traefik/traefik GHSA-6jwx-7vp4-9847
7.8
CVSS 4.0 · Vendor: https://github.com/traefik/traefik
Share

Severity by source

Vendor (https://github.com/traefik/traefik) PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Red Hat
8.6 HIGH
qualitative

Primary rating from Vendor (https://github.com/traefik/traefik).

CVSS VectorVendor: https://github.com/traefik/traefik

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
May 01, 2026 - 17:42 nvd
Patch available
Patch available
Apr 30, 2026 - 22:02 EUVD
Re-analysis Queued
Apr 30, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Apr 30, 2026 - 21:22 NVD
7.8 (HIGH)
Analysis Generated
Apr 24, 2026 - 17:31 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 17:00 euvd
EUVD-2026-26428
Analysis Generated
Apr 24, 2026 - 17:00 vuln.today
CVE Published
Apr 24, 2026 - 16:37 nvd
HIGH 7.8

DescriptionCVE.org

Summary

There is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth.

The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret).

ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content

An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization.

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.43
  • https://github.com/traefik/traefik/releases/tag/v3.6.14
  • https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2

For more information

If there are any questions or comments about this advisory, please open an issue.

<details> <summary>Original Description</summary>

Summary

StripPrefixRegex uses the byte length of a decoded Path match to slice the encoded RawPath. When percent-encoded characters are in the prefix region, this produces a wrong RawPath. ForwardAuth then receives this wrong path in X-Forwarded-Uri, sees a path that doesn't match its protection rules, and approves the request. The backend serves protected content.

Details

pkg/middlewares/stripprefixregex/strip_prefix_regex.go, line 62:

go
  req.URL.RawPath = ensureLeadingSlash(req.URL.RawPath[len(prefix):])

prefix comes from matching the regex against the decoded req.URL.Path (line 51). len(prefix) is then used to index into the encoded req.URL.RawPath. These lengths don't match when percent-encoding is present.

Example with regex ^/api:

  • GET /api%20/admin/secret
  • Decoded Path: /api /admin/secret -> prefix = /api (4 bytes)
  • Encoded RawPath: /api%20/admin/secret -> same region is 6 bytes
  • RawPath[4:] = %20/admin/secret -> after ensureLeadingSlash -> /%20/admin/secret
  • ForwardAuth sees X-Forwarded-Uri: /%20/admin/secret -> not /admin/* -> allows it
  • Backend serves the protected admin content

PoC

Requires Docker and Docker Compose. I have a setup that runs Traefik v3.6.11 with StripPrefixRegex + ForwardAuth + a backend. It sends a normal request (blocked, 403) and an encoded request (bypasses auth, 200, returns protected data). Can share the files here if useful.

Impact

Auth bypass. Any path protected by ForwardAuth, BasicAuth, or DigestAuth can be accessed without credentials when StripPrefixRegex is in the same middleware chain. The attacker only needs to add a percent-encoded character to the prefix portion of the URL.

---

Updated PoC (reporter follow-up)

After further testing, the confirmed working exploit uses %2e (percent-encoded dot) rather than %20. Dot-segment normalization (/./ -> /) is RFC 3986 standard behavior handled automatically by Express.js, Go's http.ServeMux, Spring Boot, and others - no custom configuration needed.

Chain:

GET /api%2e/admin/secret
-> StripPrefixRegex strips /api -> RawPath becomes /./admin/secret
-> ForwardAuth sees /./admin/secret -> does not match /admin/ -> allows
-> Express normalizes /./admin/secret -> /admin/secret -> serves protected content

Results (Traefik v3.6, unmodified Express.js express.static):

GET /api/admin/secret      -> 403 (blocked)
GET /api%2e/admin/secret   -> 200 (bypass - served protected content)
GET /api%20/admin/secret   -> 404 (space not normalized by backend)

Auth server logs:

X-Forwarded-Uri: '/admin/secret'    -> DENIED
X-Forwarded-Uri: '/./admin/secret'  -> ALLOWED

Reproduction:

bash
docker compose up -d --build --wait
curl http://localhost:8080/api/admin/secret
# -> 403
curl --path-as-is "http://localhost:8080/api%2e/admin/secret"
# -> 200

</details>

---

AnalysisAI

Authentication bypass in Traefik's StripPrefixRegex middleware allows unauthenticated remote attackers to access protected resources when combined with ForwardAuth, BasicAuth, or DigestAuth. By inserting a percent-encoded dot (%2e) in the URL prefix, attackers exploit a length mismatch between decoded path matching and encoded path slicing, causing ForwardAuth to receive a dot-segment path (/./admin/secret) that bypasses protection rules while backend servers normalize it to the protected path (/admin/secret). Confirmed with working proof-of-concept against Traefik v3.6.11. Patches released for v2.11.43, v3.6.14, and v3.7.0-rc.2. No CVSS score assigned yet, but meets criteria for high severity given complete authentication bypass with network attack vector requiring no privileges or user interaction.

Technical ContextAI

The vulnerability resides in Traefik's StripPrefixRegex middleware implementation (pkg/middlewares/stripprefixregex/strip_prefix_regex.go, line 62), which performs regex matching against the URL-decoded Path but then uses the matched string's byte length to slice the percent-encoded RawPath. This creates a byte-length mismatch when percent-encoded characters exist in the prefix region. Specifically, when %2e (encoded dot) appears in the prefix, the decoded prefix is shorter than its encoded equivalent, causing incorrect slicing that produces a dot-segment path like /./admin/secret. The ForwardAuth middleware receives this malformed path via the X-Forwarded-Uri header, which doesn't match configured protection patterns (e.g., /admin/*). However, RFC 3986-compliant backend servers automatically normalize dot-segments during path resolution, converting /./admin/secret to /admin/secret and serving the protected content. The vulnerability is rooted in CWE-706 (Use of Incorrectly-Resolved Name or Reference), where the authentication layer and backend server resolve the same URL to different paths. This affects Traefik v2.x and v3.x branches when StripPrefixRegex is chained with any authentication middleware (ForwardAuth, BasicAuth, DigestAuth). The flaw is particularly dangerous because dot-segment normalization is standard behavior in Express.js, Go's http.ServeMux, Spring Boot, and most modern web frameworks, requiring no special backend configuration.

RemediationAI

Upgrade Traefik to a patched version immediately: v2.11.43 for the v2.x branch (https://github.com/traefik/traefik/releases/tag/v2.11.43), v3.6.14 for the v3.6.x branch (https://github.com/traefik/traefik/releases/tag/v3.6.14), or v3.7.0-rc.2 or later for v3.7.x (https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2). If immediate patching is not feasible, implement one of these compensating controls: (1) Remove StripPrefixRegex middleware from any router configuration that includes ForwardAuth, BasicAuth, or DigestAuth-this eliminates the vulnerable code path but requires reconfiguring backend applications to handle full paths including prefixes; (2) Replace StripPrefixRegex with the StripPrefix middleware (non-regex version) if exact prefix matching suffices for your use case, as it does not exhibit this vulnerability; (3) Implement additional path validation in the ForwardAuth service to reject requests containing dot-segments (/./ or /../) in the X-Forwarded-Uri header-this adds defense-in-depth but may cause false positives if legitimate traffic uses these patterns; (4) Deploy a Web Application Firewall rule to block requests containing percent-encoded dots (%2e, %2E) in URL paths-this prevents exploitation but may break legitimate applications that require encoded dots. Each workaround has operational trade-offs: options 1-2 require configuration changes and possible application modifications, option 3 adds processing overhead and complexity to auth services, and option 4 risks blocking valid traffic. The vendor-supplied patch is the only complete remediation without side effects.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-40912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy