Executive Summary
A critical authentication bypass vulnerability (CVE-2026-35051, CVSS 10.0) has been disclosed in Traefik, the widely deployed HTTP reverse proxy and load balancer. The flaw resides in Traefik's ForwardAuth middleware and is triggered when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy.
Under this configuration, attackers who can inject or manipulate HTTP headers reaching Traefik can bypass the ForwardAuth authentication check entirely, gaining unauthorized access to backend services protected by Traefik's authentication layer.
Organizations running Traefik in configurations with an upstream trusted proxy should update to version 2.11.43, 3.6.14, or 3.7.0-rc.2 immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-35051 |
| CVSS Score | 10.0 (Critical) |
| CWE | CWE-287 — Improper Authentication |
| Type | Authentication Bypass |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Affected Component | ForwardAuth Middleware |
| Fixed Versions | 2.11.43, 3.6.14, 3.7.0-rc.2 |
Affected Versions
| Branch | Affected | Fixed Version |
|---|---|---|
| Traefik v2.x | < 2.11.43 | 2.11.43 |
| Traefik v3.x | < 3.6.14 | 3.6.14 |
| Traefik v3.7 (RC) | < 3.7.0-rc.2 | 3.7.0-rc.2 |
Technical Analysis
How ForwardAuth Works
Traefik's ForwardAuth middleware delegates authentication decisions to an external service. When a request arrives at Traefik, it forwards the request (or a copy of its headers) to an authentication service. If the auth service returns a 2xx response, the request proceeds; otherwise, Traefik rejects it.
The trustForwardHeader configuration option controls whether Traefik trusts X-Forwarded-* headers from upstream proxies. When set to false, Traefik should reject or strip these headers, refusing to honor potentially attacker-controlled forwarded-address claims.
The Vulnerability
The vulnerability arises when trustForwardHeader=false is set but Traefik is deployed behind a trusted upstream proxy (such as a CDN, load balancer, or another reverse proxy). In this scenario:
- The upstream proxy is trusted and adds legitimate
X-Forwarded-*headers - Traefik, configured with
trustForwardHeader=false, should strip these headers before forwarding to the ForwardAuth service - Due to the vulnerability, under specific conditions the header stripping logic does not apply correctly, allowing crafted headers from the upstream or an attacker to influence the ForwardAuth decision
- The authentication check can be bypassed, forwarding requests to the backend without proper authentication validation
Attack Flow
1. Attacker sends an HTTP request to the upstream proxy in front of Traefik
2. Attacker crafts or injects headers that influence the ForwardAuth flow
3. Despite trustForwardHeader=false, Traefik's header sanitization fails to strip
or properly handle the crafted headers in the trusted-proxy configuration
4. The ForwardAuth service receives manipulated request context
5. ForwardAuth incorrectly approves the request (or is bypassed entirely)
6. Traefik forwards the attacker's request to the protected backend service
7. Attacker gains unauthorized access to services behind Traefik's auth layerConditions for Exploitation
- Traefik with ForwardAuth middleware enabled
trustForwardHeader=falseconfigured (intended to increase security, paradoxically the vulnerable state)- Traefik deployed behind an upstream proxy/load balancer
- Attacker can send HTTP requests that reach the upstream proxy
Impact Assessment
| Impact Area | Description |
|---|---|
| Authentication Bypass | Complete bypass of ForwardAuth-protected routes |
| Unauthorized API Access | Access to APIs and services protected by Traefik auth |
| Data Exfiltration | Unauthorized access to protected data behind Traefik |
| Privilege Escalation | Bypass of authentication enables access to admin interfaces |
| Lateral Movement | Access to internal services using Traefik as an entry point |
| Compliance Violation | Authentication bypass violates numerous compliance frameworks |
Remediation
Step 1: Update Traefik Immediately
# Docker — pull the patched image
docker pull traefik:v3.6.14
# or
docker pull traefik:v2.11.43
# Kubernetes Helm
helm upgrade traefik traefik/traefik --version <patched-chart-version>
# Verify version
traefik versionStep 2: Restart Traefik with the Updated Image
# Docker Compose
docker-compose pull traefik
docker-compose up -d traefik
# Kubernetes
kubectl rollout restart deployment/traefik -n traefik
kubectl rollout status deployment/traefik -n traefikStep 3: Review ForwardAuth Configuration
Audit all ForwardAuth middleware configurations for the interaction between trustForwardHeader and upstream proxy settings:
# traefik.yml — review these settings
providers:
file:
filename: /etc/traefik/dynamic.yml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
# Check forwarded header trust settings
# After patching, verify trustForwardHeader behavior is as expectedStep 4: Verify ForwardAuth Middleware in Dynamic Config
# dynamic.yml — audit ForwardAuth middleware
http:
middlewares:
auth-middleware:
forwardAuth:
address: "https://auth.example.com/verify"
trustForwardHeader: false
# After patch, verify header sanitization works correctly
authResponseHeaders:
- "X-Auth-User"
- "X-Auth-Groups"Step 5: Temporary Workaround (If Immediate Update Is Not Possible)
If an emergency patch is not immediately deployable, consider:
- Temporarily disable ForwardAuth on non-critical routes until patching is complete
- Add authentication at the upstream proxy level as an additional layer
- Restrict access to ForwardAuth-protected routes at the network/firewall level
Detection
| Indicator | Description |
|---|---|
| Requests reaching backends without valid auth tokens | ForwardAuth bypassed |
Unusual X-Forwarded-* headers in Traefik access logs | Header injection attempts |
| Access to protected routes from unexpected IPs | Bypass exploitation |
| ForwardAuth service receiving unusual request patterns | Active exploitation probe |
Enable Traefik access logging to detect anomalies:
# traefik.yml
log:
level: INFO
accessLog:
filePath: "/var/log/traefik/access.log"
format: json
fields:
headers:
defaultMode: keepPost-Remediation Checklist
- Update Traefik to version 2.11.43, 3.6.14, or 3.7.0-rc.2
- Restart Traefik and verify the new version is running
- Audit ForwardAuth middleware configurations across all deployments
- Test authentication flows to confirm ForwardAuth is functioning correctly
- Review access logs for signs of prior exploitation attempts
- Rotate credentials/tokens for any services protected by ForwardAuth
- Monitor for anomalous authentication patterns post-patch