Back to overview

CVE-2026-54763

HIGH
7.8
CVSS 4.0
Description
Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which many backends normalize identically to dashed forms. An attacker able to reach a protected route can inject an underscore-variant header that survives Traefik's stripping and reaches the backend alongside, or on the unauthenticated ForwardAuth authResponseHeaders path instead of, the value Traefik intended to set, spoofing identity or authorization context. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6.

Metadata

CVE ID
CVE-2026-54763
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 23:12 UTC
Published
2026-07-06 20:33 UTC
Last updated
2026-07-07 02:52 UTC
Primary CWE
CWE-178
CWE-178: Improper Handling of Case Sensitivity
Vendor / Product
traefik / traefik
Sources
cve.org  ·  NVD

Severity & Metrics

7.8 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Affected products (1)
VendorProductPlatformVersions
traefik traefik < 2.11.51, >= 3.0.0-beta1, < 3.6.22, >= 3.7.0-ea.1, < 3.7.6
Weakness (CWE)
CWESourceDescription
CWE-178 cna CWE-178: Improper Handling of Case Sensitivity
CWE-290 cna CWE-290: Authentication Bypass by Spoofing
CWE-345 cna CWE-345: Insufficient Verification of Data Authenticity
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.8 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
References (3)
Back to overview