CVE-2026-33433
published 2026-03-27CVE-2026-33433: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical…
PriorityP358high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.47%
37.1th percentile
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | traefik_traefik_v2 | >= 0 < 2.11.42 | 2.11.42 |
| github.com | traefik_traefik_v3 | >= 3.0.0-beta1 < 3.6.12 | 3.6.12 |
| github.com | traefik_traefik_v3 | >= 3.7.0-ea.1 < 3.7.0-ea.3 | 3.7.0-ea.3 |
| traefik | traefik | < 2.11.42 | 2.11.42 |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | >= 3.0.0 < 3.6.12 | 3.6.12 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField in github.com/traefik/traefik
osv·2026-04-02
CVE-2026-33433 Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField in github.com/traefik/traefik
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField in github.com/traefik/traefik
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField in github.com/traefik/traefik
GHSA
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
ghsa·2026-03-27
CVE-2026-33433 [MEDIUM] CWE-290 Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
## Summary
There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when `headerField` is configured with a non-canonical HTTP header name.
An authenticated attacker with valid credentials can inject the canonical version of the configured header to impersonate any identity to the backend. Because Traefik writes the authenticated username using a non-canonical map key, it creates a separate header entry rather than overwriting the attacker's canonical one — causing most backend frameworks to read the attacker-controlled value instead.
## Patches
-
-
-
## For more information
If there are any questions or comments about this advisory, please [open an issue](ht
OSV
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
osv·2026-03-27
CVE-2026-33433 [MEDIUM] Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
## Summary
There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when `headerField` is configured with a non-canonical HTTP header name.
An authenticated attacker with valid credentials can inject the canonical version of the configured header to impersonate any identity to the backend. Because Traefik writes the authenticated username using a non-canonical map key, it creates a separate header entry rather than overwriting the attacker's canonical one — causing most backend frameworks to read the attacker-controlled value instead.
## Patches
-
-
-
## For more information
If there are any questions or comments about this advisory, please [open an issue](ht
Red Hat
github.com/traefik/traefik: Traefik: Authentication bypass via non-canonical HTTP header injection
vendor_redhat·2026-03-27·CVSS 5.1
CVE-2026-33433 [MEDIUM] CWE-290 github.com/traefik/traefik: Traefik: Authentication bypass via non-canonical HTTP header injection
github.com/traefik/traefik: Traefik: Authentication bypass via non-canonical HTTP header injection
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.
A flaw was found in Traefik, an HTTP reverse proxy and load balancer. When the `headerField` is configured with a non-canonical HTTP header name, an authenticat
No detection rules found.
No public exploits indexed.
https://github.com/traefik/traefik/releases/tag/v2.11.42https://github.com/traefik/traefik/releases/tag/v3.6.11https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7chttps://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/security/cve/CVE-2026-33433https://bugzilla.redhat.com/show_bug.cgi?id=2452289https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33433.json
2026-03-27
Published