CVE-2026-40912
published 2026-04-30CVE-2026-40912: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass…
PriorityP357high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.77%
50.9th percentile
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret). ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devspaces | traefik-rhel9 | — | — |
| github.com | traefik_traefik | 0 – 1.7.34 | — |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.43 | 2.11.43 |
| github.com | traefik_traefik_v3 | >= 3.0.0-beta1 < 3.6.14 | 3.6.14 |
| github.com | traefik_traefik_v3 | >= 3.7.0-ea.1 < 3.7.0-rc.2 | 3.7.0-rc.2 |
| traefik | traefik | < 2.11.43 | 2.11.43 |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | >= 3.0.0 < 3.6.14 | 3.6.14 |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
nvdv4.07.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Traefik up to 2.11.42/3.6.13/3.7.0-rc.1 StripPrefixRegex Middleware name resolution
vuldb·2026-04-30·CVSS 7.8
CVE-2026-40912 [HIGH] Traefik up to 2.11.42/3.6.13/3.7.0-rc.1 StripPrefixRegex Middleware name resolution
A vulnerability was found in Traefik up to 2.11.42/3.6.13/3.7.0-rc.1 and classified as critical. The impacted element is an unknown function of the component StripPrefixRegex Middleware. The manipulation results in incorrectly-resolved name.
This vulnerability was named CVE-2026-40912. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync
ghsa·2026-04-24
CVE-2026-40912 [HIGH] CWE-706 Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync
## Summary
There is a high severity authentication bypass vulnerability in Traefik's `StripPrefixRegex` middleware when used in combination with `ForwardAuth`, `BasicAuth`, or `DigestAuth`.
The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. `/./admin/secret`).
`ForwardAuth` receives this dot-segment path in `X-Forwarded-Uri`, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 a
Red Hat
github.com/traefik/traefik: Traefik: Authentication bypass via crafted URL dot-segments in StripPrefixRegex middleware
vendor_redhat·2026-04-30·CVSS 7.8
CVE-2026-40912 [HIGH] CWE-22 github.com/traefik/traefik: Traefik: Authentication bypass via crafted URL dot-segments in StripPrefixRegex middleware
github.com/traefik/traefik: Traefik: Authentication bypass via crafted URL dot-segments in StripPrefixRegex middleware
A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This authentication bypass vulnerability allows an unauthenticated attacker to access protected content. The flaw occurs when the StripPrefixRegex middleware is used with authentication mechanisms such as ForwardAuth, BasicAuth, or DigestAuth. By crafting a specific URL with dot-segments, an attacker can bypass authentication checks and gain unauthorized access to sensitive resources.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread install
No detection rules found.
No public exploits indexed.
https://github.com/traefik/traefik/releases/tag/v2.11.43https://github.com/traefik/traefik/releases/tag/v3.6.14https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2https://github.com/traefik/traefik/security/advisories/GHSA-6jwx-7vp4-9847https://access.redhat.com/errata/RHSA-2026:21772https://access.redhat.com/security/cve/CVE-2026-40912https://bugzilla.redhat.com/show_bug.cgi?id=2464229https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40912.json
2026-04-30
Published