CVE-2026-39858
published 2026-04-30CVE-2026-39858: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass…
PriorityP268critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.48%
37.8th percentile
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devspaces | traefik-rhel9 | — | — |
| github.com | traefik_traefik | 0 – 1.7.34 | — |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.43 | 2.11.43 |
| github.com | traefik_traefik_v3 | >= 3.0.0-beta1 < 3.6.14 | 3.6.14 |
| github.com | traefik_traefik_v3 | >= 3.7.0-ea.1 < 3.7.0-rc.2 | 3.7.0-rc.2 |
| traefik | traefik | < 2.11.43 | 2.11.43 |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | >= 3.0.0 < 3.6.14 | 3.6.14 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP requests to Traefik-protected routes containing underscore-variant forwarded headers (e.g., X_Forwarded_Proto, X_Forwarded_Host) alongside or instead of their canonical dash-separated equivalents, which may indicate an authentication bypass attempt. ↗
- →Monitor authentication backend logs for requests arriving with underscore-form forwarded headers (e.g., X_Forwarded_Proto, X_Forwarded_Host) that carry spoofed trust context such as a trusted scheme or host, which the backend may normalize and accept as legitimate. ↗
- →Flag any successful authentication events on ForwardAuth or snippet-based authentication middleware in Traefik versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2 where the upstream request contains underscore-aliased forwarded headers. ↗
- ·The vulnerability only manifests when the authentication backend normalizes underscore and dash header forms equivalently. Backends that treat X_Forwarded_Proto and X-Forwarded-Proto as distinct headers are not susceptible to the bypass. ↗
- ·Only Traefik deployments using ForwardAuth or snippet-based authentication middleware are affected. Deployments not using these middleware types are not exposed to this bypass. ↗
- ·Red Hat has noted that no mitigation meeting their criteria is currently available for affected packages (e.g., devspaces/traefik-rhel9). Patching to fixed versions (2.11.43, 3.6.14, or 3.7.0-rc.2) is the primary remediation. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
nvdv4.07.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
traefik: Traefik: Authentication bypass via unsanitized alias headers
vendor_redhat·2026-04-30·CVSS 7.8
CVE-2026-39858 [HIGH] CWE-289 traefik: Traefik: Authentication bypass via unsanitized alias headers
traefik: Traefik: Authentication bypass via unsanitized alias headers
A flaw was found in Traefik. A remote attacker can exploit an authentication bypass vulnerability by injecting spoofed trust context through unsanitized alias headers. This is due to Traefik's forwarded-header sanitization logic not properly handling alias header names that use underscores instead of dashes. This allows an attacker to bypass authentication on protected routes without valid credentials.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Package: devspaces/traefik-rhel9 (Red Hat OpenShift Dev Spaces) - Affected
VulDB
Traefik up to 2.11.42/3.6.13/3.7.0-rc.1 X_Forwarded_Proto authentication spoofing
vuldb·2026-04-30·CVSS 7.8
CVE-2026-39858 [HIGH] Traefik up to 2.11.42/3.6.13/3.7.0-rc.1 X_Forwarded_Proto authentication spoofing
A vulnerability labeled as critical has been found in Traefik up to 2.11.42/3.6.13/3.7.0-rc.1. This affects an unknown part. The manipulation of the argument X_Forwarded_Proto results in authentication bypass by spoofing.
This vulnerability is cataloged as CVE-2026-39858. The attack may be launched remotely. There is no exploit available.
The affected component should be upgraded.
GHSA
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
ghsa·2026-04-24
CVE-2026-39858 [HIGH] CWE-290 Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
## Summary
There is a high severity authentication bypass vulnerability in Traefik's `ForwardAuth` and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., `X-Forwarded-Proto`) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., `X_Forwarded_Proto`). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials.
## Patches
No detection rules found.
No public exploits indexed.
https://github.com/traefik/traefik/releases/tag/v2.11.43https://github.com/traefik/traefik/releases/tag/v3.6.14https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vmhttps://access.redhat.com/errata/RHSA-2026:21772https://access.redhat.com/security/cve/CVE-2026-39858https://bugzilla.redhat.com/show_bug.cgi?id=2464234https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39858.json
2026-04-30
Published