CVE-2026-33433 — Authentication Bypass by Spoofing in Traefik

CWE-290 — Authentication Bypass by Spoofing7 documents6 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 94.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Traefik Github.com Traefik Traefik V2 Github.com Traefik Traefik V3

Timeline

PublishedMar 27

Latest updateApr 2

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3…

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Affected Packages4 packages

▶CVEListV5traefik/traefik< 2.11.42+2

▶NVDtraefik/traefik3.0.0 — 3.6.12+2

▶Gogithub.com/traefik_traefik_v2< 2.11.42

▶Gogithub.com/traefik_traefik_v33.0.0-beta1 — 3.6.12+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField in github.com/traefik/traefik↗2026-04-02

▶

GHSA

Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField↗2026-03-27

▶

OSV

Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField↗2026-03-27

▶

CVEList

Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField↗2026-03-27

▶

📋Vendor Advisories

Red Hat

github.com/traefik/traefik: Traefik: Authentication bypass via non-canonical HTTP header injection↗2026-03-27

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33433 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶