CVE-2026-29054
published 2026-03-05CVE-2026-29054: Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.47%
37.0th percentile
Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | traefik_traefik_v2 | >= 2.11.9 < 2.11.38 | 2.11.38 |
| github.com | traefik_traefik_v3 | >= 3.1.3 < 3.6.9 | 3.6.9 |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | >= 2.11.9 < 2.11.38 | 2.11.38 |
| traefik | traefik | >= 3.1.3 < 3.6.9 | 3.6.9 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Traefik up to 2.11.37/3.6.8 Reverse Proxy case sensitivity (Nessus ID 318670)
vuldb·2026-06-05·CVSS 7.5
CVE-2026-29054 [HIGH] Traefik up to 2.11.37/3.6.8 Reverse Proxy case sensitivity (Nessus ID 318670)
A vulnerability was found in Traefik up to 2.11.37/3.6.8. It has been classified as problematic. The impacted element is an unknown function of the component Reverse Proxy Handler. The manipulation leads to improper handling of case sensitivity.
This vulnerability is referenced as CVE-2026-29054. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
OSV
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik
osv·2026-03-10·CVSS 7.5
CVE-2026-29054 [HIGH] traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik
GHSA
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
ghsa·2026-03-04·CVSS 7.5
CVE-2026-29054 [HIGH] CWE-178 traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
## Impact
There is a potential vulnerability in Traefik managing the `Connection` header with `X-Forwarded` headers.
When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed `X-Forwarded` headers (such as `X-Real-Ip`, `X-Forwarded-Host`, `X-Forwarded-Port`, etc.) via the `Connection` header does not handle case sensitivity correctly. The `Connection` tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase `Connection` tokens (e.g. `Connection: x-real-i
OSV
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
osv·2026-03-04·CVSS 7.5
CVE-2026-29054 [HIGH] traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
## Impact
There is a potential vulnerability in Traefik managing the `Connection` header with `X-Forwarded` headers.
When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed `X-Forwarded` headers (such as `X-Real-Ip`, `X-Forwarded-Host`, `X-Forwarded-Port`, etc.) via the `Connection` header does not handle case sensitivity correctly. The `Connection` tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase `Connection` tokens (e.g. `Connection: x-real-i
Red Hat
github.com/traefik/traefik: Traefik: Information disclosure due to case-insensitive Connection header processing
vendor_redhat·2026-03-05·CVSS 7.5
CVE-2026-29054 [HIGH] CWE-178 github.com/traefik/traefik: Traefik: Information disclosure due to case-insensitive Connection header processing
github.com/traefik/traefik: Traefik: Information disclosure due to case-insensitive Connection header processing
Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lo
No detection rules found.
No public exploits indexed.
https://github.com/traefik/traefik/releases/tag/v2.11.38https://github.com/traefik/traefik/releases/tag/v3.6.9https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52https://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/security/cve/CVE-2026-29054https://bugzilla.redhat.com/show_bug.cgi?id=2444872https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29054.json
2026-03-05
Published