CVE-2026-29054 — Improper Handling of Case Sensitivity in Traefik Traefik V2
Severity
7.5HIGHNVD
EPSS
0.0%
top 97.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 5
Latest updateMar 10
Description
Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection to…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages4 packages
Patches
🔴Vulnerability Details
4OSV▶
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik↗2026-03-10
CVEList▶
Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)↗2026-03-05
GHSA▶
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)↗2026-03-04
OSV▶
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)↗2026-03-04
📋Vendor Advisories
1Red Hat▶
github.com/traefik/traefik: Traefik: Information disclosure due to case-insensitive Connection header processing↗2026-03-05