Primary

Context

Traefik Authentication Bypass Vulnerability in ForwardAuth Middleware

Vulnerability

Patched

An authentication bypass vulnerability has been identified in Traefik's ForwardAuth middleware. This issue affects Traefik versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2. The vulnerability arises when trustForwardHeader is set to false, and Traefik is deployed behind a trusted upstream proxy. In this configuration, while standard X-Forwarded headers are properly managed, the X-Forwarded-Prefix header is not stripped or rebuilt. This oversight allows attackers to spoof prefix values, potentially bypassing authentication and gaining unauthorized access to protected backend routes.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized access to protected routes on the backend.

Remediation

Users can upgrade to Traefik versions 2.11.43, 3.6.14, or 3.7.0-rc.2 to address this vulnerability.

Added: Apr 30, 2026, 9:34 PM

Updated: Apr 30, 2026, 9:34 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

7.9

remediation

7.7

relevance

7.1

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

7.9

remediation

7.7

relevance

7.1

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Traefik Authentication Bypass Vulnerability in ForwardAuth Middleware

Vulnerability

Impact

Remediation

Affected Products

Traefik

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating