CVE-2026-54763 in Traefik
Summary
by MITRE • 07/06/2026
Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which many backends normalize identically to dashed forms. An attacker able to reach a protected route can inject an underscore-variant header that survives Traefik's stripping and reaches the backend alongside, or on the unauthenticated ForwardAuth authResponseHeaders path instead of, the value Traefik intended to set, spoofing identity or authorization context. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/06/2026
Traefik serves as a critical component in modern web architectures acting as an HTTP reverse proxy and load balancer that handles authentication and authorization flows through its various middleware implementations. The vulnerability affects the BasicAuth, DigestAuth, and ForwardAuth middlewares which are designed to manage user authentication and identity propagation within distributed systems. These components operate by processing HTTP headers that contain authentication context and identity information flowing between clients, the proxy, and backend services.
The technical flaw resides in Traefik's header processing logic where it strips canonical-cased spoofed identity headers but fails to account for underscore-variant header names that are commonly normalized by backend systems. This inconsistency creates a potential attack vector because many web servers and frameworks treat header names with underscores identically to their dashed counterparts during normalization processes. When Traefik processes authentication headers, it removes the standard canonical forms but leaves underscore variants untouched, allowing attackers to inject malicious values that bypass the intended security controls.
The operational impact of this vulnerability is significant as it enables authenticated identity spoofing attacks against protected routes. An attacker who can access a protected endpoint can manipulate header injection by adding underscore-variant authentication headers that survive Traefik's stripping mechanism and reach backend services unmodified. This creates scenarios where backend systems receive conflicting identity information, potentially allowing unauthorized access or privilege escalation. The vulnerability is particularly dangerous when combined with the ForwardAuth middleware's authResponseHeaders path which processes headers during authentication flows.
This issue maps to CWE-284 Access Control Bypass and represents a specific case of header manipulation that violates the principle of least privilege in authentication systems. The vulnerability also aligns with ATT&CK technique T1566 Credential Stuffing and T1078 Valid Accounts as it enables unauthorized users to assume legitimate identities within the system. The attack scenario involves an attacker leveraging the header normalization inconsistency to inject malicious values that bypass Traefik's intended security controls, effectively creating a path for privilege escalation or unauthorized access.
The fix implemented in versions v2.11.51, v3.6.22, and v3.7.6 addresses this by ensuring consistent header stripping across both canonical and underscore variants. This comprehensive approach ensures that all forms of identity headers are properly sanitized regardless of their naming convention, maintaining the integrity of authentication flows. Organizations should immediately upgrade to these patched versions and conduct thorough security assessments of their Traefik configurations, particularly examining custom middleware implementations and authentication policies that may be vulnerable to similar header manipulation attacks.