CVE-2026-54764 in Traefikinfo

Summary

by MITRE • 07/07/2026

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's ForwardAuth middleware, even when configured with trustForwardHeader: false, derives the X-Forwarded-Port header sent to the authentication service from the original incoming request instead of the sanitized forwarded request. As a result, an unauthenticated remote attacker can inject an X-Forwarded-Proto: https header over a plain HTTP connection and cause Traefik to forward X-Forwarded-Port: 443 to the authentication service, bypassing port-based authorization checks. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability in Traefik's ForwardAuth middleware represents a critical security flaw that undermines the integrity of authentication mechanisms through improper header handling. This issue affects multiple versions of Traefik including v2.11.51, v3.6.22, and v3.7.6, where the system fails to properly sanitize forwarded headers before passing them to authentication services. The vulnerability stems from the middleware's behavior when trustForwardHeader is set to false, yet it still processes the X-Forwarded-Port header from the original connection rather than the sanitized forwarded request. This misconfiguration creates a pathway for attackers to manipulate authentication flows by injecting malicious headers that alter the perceived connection properties.

The technical implementation flaw occurs within Traefik's HTTP request processing pipeline where the ForwardAuth middleware does not properly distinguish between original incoming requests and forwarded requests when handling X-Forwarded-Port information. When an attacker sends a request over plain HTTP but includes a manipulated X-Forwarded-Proto: https header, the system incorrectly interprets this as an HTTPS connection and forwards port 443 to the authentication service regardless of the actual transport layer. This behavior violates fundamental security principles of request sanitization and trust boundary enforcement, creating an opportunity for bypassing authorization controls that rely on port-based validation mechanisms.

From an operational impact perspective, this vulnerability allows unauthenticated remote attackers to effectively bypass port-based access controls within authentication systems. The attack vector is particularly dangerous because it requires no prior authentication credentials and can be executed over standard HTTP connections. Authentication services that implement port-based restrictions or validate connection properties based on forwarded headers become vulnerable to manipulation, potentially allowing unauthorized access to protected resources. This issue specifically targets the trust model between reverse proxy and authentication service, undermining the security assumptions of the entire authorization chain.

The vulnerability aligns with CWE-284 Access Control Issues and represents a specific instance of improper input validation where forwarded headers are not properly sanitized before being passed to downstream services. From an ATT&CK perspective, this maps to privilege escalation techniques through manipulation of authentication flows and can be categorized under T1566 Credential Access through network infrastructure manipulation. Organizations implementing Traefik with ForwardAuth middleware should immediately update to the patched versions to prevent potential exploitation, as the vulnerability enables attackers to bypass security controls that depend on connection port validation. The fix in versions v2.11.51, v3.6.22, and v3.7.6 ensures proper header sanitization and correct handling of forwarded request properties, restoring the intended trust boundaries between proxy and authentication services.

Security teams should conduct immediate assessments of their Traefik configurations to identify instances where ForwardAuth middleware is deployed with trustForwardHeader set to false, and verify that appropriate network segmentation and additional authentication controls are in place as defensive measures. The vulnerability demonstrates the importance of proper header sanitization in reverse proxy implementations and highlights the need for comprehensive testing of authentication flow integrity when deploying security controls that depend on forwarded request properties.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!