Primary

Context

Traefik Errors Middleware Information Disclosure Vulnerability

Vulnerability

Patched

A medium severity information disclosure vulnerability exists in Traefik's errors middleware, prior to versions 2.11.44, 3.6.15, and 3.7.0-rc.3. The vulnerability arises because the middleware forwards the complete header set of the original request, including sensitive information such as Authorization and Cookie headers, to a separate error page service. This occurs when the backend response matches the configured status range. The documentation only mentions that the Host header is forwarded by default, leaving operators unaware that sensitive credentials are being shared across service boundaries. As a result, end-user credentials may be inadvertently exposed to unintended infrastructure.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure, with sensitive user credentials being exposed to an unintended service or infrastructure component.

Remediation

Users can upgrade to Traefik versions 2.11.44, 3.6.15, or 3.7.0-rc.3 to address this vulnerability.

Added: May 15, 2026, 5:31 PM

Updated: May 15, 2026, 5:31 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.8

exploitability

5.0

remediation

7.7

relevance

8.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.8

exploitability

5.0

remediation

7.7

relevance

8.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Traefik Errors Middleware Information Disclosure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Traefik

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating