CVE-2026-26998Allocation of Resources Without Limits or Throttling in Traefik

CWE-770Allocation of Resources Without Limits or Throttling7 documents6 sources
Severity
4.4MEDIUMNVD
EPSS
0.0%
top 88.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TraefikGithub.com Traefik Traefik V2Github.com Traefik Traefik V3
Timeline
PublishedMar 5
Latest updateMar 10

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is read entirely into memory without any size limit. There is no maxResponseBodySize configuration to restrict the amount of data read from the authentication server response. If the authentication server re

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 0.7 | Impact: 3.6

Affected Packages4 packages

CVEListV5traefik/traefik< 2.11.38+1
NVDtraefik/traefik3.0.03.6.9+1

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS in github.com/traefik/traefik2026-03-10
CVEList
Traefik: unbounded io.ReadAll on auth server response body causes OOM denial of service(DOS)2026-03-05
GHSA
Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS2026-03-04
OSV
Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS2026-03-04

📋Vendor Advisories

1
Red Hat
github.com/traefik/traefik: Traefik: Denial of Service due to unbounded ForwardAuth middleware response processing2026-03-05

🕵️Threat Intelligence

1
Wiz
CVE-2026-26998 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-26998 — Traefik vulnerability | cvebase