Executive Summary
CVE-2026-39858 is a second critical CVSS 10.0 authentication bypass vulnerability disclosed in Traefik alongside CVE-2026-35051. This vulnerability affects both ForwardAuth and snippet-based authentication middleware and stems from a flaw in Traefik's forwarded-header sanitization logic.
The sanitization logic that should strip or normalize X-Forwarded-* and similar headers targets only canonical header forms, leaving non-canonical representations unprocessed. An attacker can exploit this by sending headers in non-canonical format that bypass sanitization and influence authentication decisions, effectively defeating the authentication layer protecting backend services.
All Traefik deployments using ForwardAuth or snippet-based auth middleware on versions prior to 2.11.43, 3.6.14, or 3.7.0-rc.2 are vulnerable. Both CVE-2026-35051 and CVE-2026-39858 are fixed in the same patch releases.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-39858 |
| CVSS Score | 10.0 (Critical) |
| CWE | CWE-116 — Improper Encoding or Escaping of Output / Header Sanitization |
| Type | Authentication Bypass via Header Injection |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Affected Components | ForwardAuth Middleware, Snippet-based Auth Middleware |
| Fixed Versions | 2.11.43, 3.6.14, 3.7.0-rc.2 |
Affected Versions
| Branch | Affected | Fixed Version |
|---|---|---|
| Traefik v2.x | < 2.11.43 | 2.11.43 |
| Traefik v3.x | < 3.6.14 | 3.6.14 |
| Traefik v3.7 (RC) | < 3.7.0-rc.2 | 3.7.0-rc.2 |
Technical Analysis
Root Cause: Non-Canonical Header Bypass
HTTP header names are case-insensitive per RFC 7230. The canonical form typically uses title-case (e.g., X-Forwarded-For). Traefik's forwarded-header sanitization logic checks and strips headers by matching against their canonical representations.
The vulnerability arises because the sanitization code only checks for canonical header names. Sending the same header with a non-canonical casing (e.g., x-forwarded-for, X-FORWARDED-FOR, or x-ForWaRded-For) causes the header to pass through the sanitization layer unstripped.
Impact on ForwardAuth and Snippet Middleware
ForwardAuth: When Traefik forwards a request to the external authentication service, the sanitization bypass allows attacker-controlled headers to reach the auth service. If the auth service makes trust decisions based on forwarded headers (e.g., trusting X-Forwarded-User), the attacker can impersonate any user or claim arbitrary authentication context.
Snippet-based middleware: Traefik supports inline configuration snippets for authentication logic. The same header sanitization bypass affects snippet-based auth checks, allowing crafted headers to influence snippet execution and bypass authentication decisions.
Attack Flow
1. Attacker identifies a Traefik route protected by ForwardAuth or snippet-based auth
2. Attacker crafts HTTP request with non-canonical forwarded headers:
e.g., "x-forwarded-user: admin" instead of "X-Forwarded-User: admin"
3. Traefik's sanitization logic checks for "X-Forwarded-User" (canonical) — not found
4. Non-canonical header passes through unsanitized
5. Traefik forwards the request with attacker's "x-forwarded-user: admin" to ForwardAuth
6. ForwardAuth service receives header, treats it as valid, returns 200 OK
7. Traefik grants access to the protected backend as the impersonated userRelationship to CVE-2026-35051
CVE-2026-35051 and CVE-2026-39858 are related but distinct vulnerabilities disclosed at the same time and fixed in the same releases:
| CVE-2026-35051 | CVE-2026-39858 | |
|---|---|---|
| Root Cause | Proxy trust configuration interaction | Non-canonical header sanitization bypass |
| Trigger | trustForwardHeader=false + upstream proxy | Any ForwardAuth/snippet deployment |
| Mechanism | Header stripping logic fails in proxy context | Sanitization only checks canonical headers |
| Affected Middleware | ForwardAuth | ForwardAuth + Snippet-based auth |
Organizations should patch for both vulnerabilities simultaneously as they are fixed in the same releases.
Impact Assessment
| Impact Area | Description |
|---|---|
| Identity Spoofing | Attacker can impersonate any user via crafted forwarded headers |
| Authentication Bypass | Complete bypass of ForwardAuth-protected routes |
| Authorization Escalation | Claim admin/elevated roles via forged identity headers |
| Multi-Tenant Violation | In multi-tenant deployments, tenant isolation bypassed |
| Downstream Service Compromise | Backend services receiving spoofed identity may perform privileged operations |
| Audit Log Poisoning | Actions performed under spoofed identities appear legitimate in logs |
Remediation
Step 1: Update Traefik
# Docker
docker pull traefik:v3.6.14
# or for v2 branch
docker pull traefik:v2.11.43
# Kubernetes with Helm
helm repo update
helm upgrade traefik traefik/traefik \
--set image.tag=v3.6.14 \
-n traefik
# Binary install — download patched binary from Traefik releases
curl -L https://github.com/traefik/traefik/releases/download/v3.6.14/traefik_v3.6.14_linux_amd64.tar.gz \
-o traefik.tar.gz && tar -xzf traefik.tar.gzStep 2: Verify the Patch Is Applied
# Confirm running version
traefik version
# Expected output: Version: v3.6.14 (or v2.11.43)
# Or via API
curl http://localhost:8080/api/versionStep 3: Harden Header Processing
After patching, review and harden forwarded-header handling across all middleware:
# dynamic.yml — ForwardAuth hardening
http:
middlewares:
auth-hardened:
forwardAuth:
address: "https://auth.internal/verify"
# Explicitly allowlist headers to pass to auth service
authRequestHeaders:
- "Authorization"
- "X-Request-Id"
# Restrict headers copied back from auth service
authResponseHeaders:
- "X-Auth-User"
- "X-Auth-Role"
# Do not pass arbitrary forwarded headers
trustForwardHeader: falseStep 4: Audit Authentication Service Header Trust
Review your ForwardAuth service to ensure it validates headers securely:
# Example: Harden auth service to only trust headers Traefik explicitly injects
# Never trust X-Forwarded-User or similar from the incoming request
# Instead, set identity in authResponseHeaders from your own validation logic
def verify_request(request):
# Only trust the Authorization header or session token
# Do NOT trust X-Forwarded-User, X-Real-IP as identity claims
token = request.headers.get("Authorization")
if not token:
return 401, {}
user = validate_token(token)
if not user:
return 401, {}
# Return identity via response headers that Traefik will forward
return 200, {"X-Auth-User": user.id, "X-Auth-Role": user.role}Detection
| Indicator | Description |
|---|---|
| Requests with non-canonical header casing in access logs | Potential exploitation probe |
| Unexpected user identities in backend service logs | Post-bypass activity |
| ForwardAuth service receiving requests with identity headers | Header injection attempt |
| Access to protected routes with missing or anomalous auth tokens | Bypass succeeded |
Search Traefik access logs for non-canonical header patterns:
# Look for lowercase x-forwarded headers that should be stripped
grep -i '"x-forwarded-user":\|"x-forwarded-email":' /var/log/traefik/access.log | \
grep -v '"X-Forwarded-User":' | head -50
# Look for authentication bypasses (requests reaching backend without expected auth headers)
grep '"user":""' /var/log/traefik/access.log | tail -100Post-Remediation Checklist
- Patch Traefik to version 2.11.43, 3.6.14, or 3.7.0-rc.2
- Patch both CVEs — CVE-2026-35051 and CVE-2026-39858 are fixed in the same releases
- Review all ForwardAuth and snippet-based middleware configurations
- Harden auth service to avoid trusting forwarded identity headers from incoming requests
- Audit logs for non-canonical header patterns indicating prior exploitation
- Revoke sessions for any services that may have been accessed via bypassed auth
- Test end-to-end authentication flows post-patch