10

CVE-2026-39858

Exploit

Traefik: Forwarded alias spoofing top pre-auth decision bypass

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TraefikTraefik Version < 2.11.43
TraefikTraefik Version >= 3.0.0 < 3.6.14
TraefikTraefik Version3.7.0 Updateea1
TraefikTraefik Version3.7.0 Updateea2
TraefikTraefik Version3.7.0 Updateea3
TraefikTraefik Version3.7.0 Updaterc1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.48% 0.378
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 10 3.9 5.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
security-advisories@github.com 7.8 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.2 3.9 4.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE-289 Authentication Bypass by Alternate Name

The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/traefik/traefik/releases/tag/v2.11.43
Product
Release Notes
https://github.com/traefik/traefik/releases/tag/v3.6.14
Product
Release Notes
https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
Product
Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm
Patch
Vendor Advisory
Exploit
Mitigation
https://access.redhat.com/errata/RHSA-2026:21772
https://access.redhat.com/security/cve/CVE-2026-39858
https://bugzilla.redhat.com/show_bug.cgi?id=2464234
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39858.json