EXECUTIVE SUMMARY:
Three high-severity authentication bypass vulnerabilities have been identified in Traefik’s routing and authentication middleware components, specifically affecting StripPrefixRegex and ForwardAuth functionality under certain deployment configurations. These issues arise from improper handling of URL normalization and trusted header processing, which can be abused to manipulate request routing, spoof forwarded headers, and bypass authentication controls. In particular, when Traefik is deployed behind trusted upstream proxies or configured with specific forwarding rules, attackers may exploit these weaknesses to gain unauthorized access to protected backend services without valid credentials. The overall impact is significant, as it directly undermines Traefik’s access control enforcement and increases the risk of full application-layer exposure. CVE-2026-40912 with a CVSS score of 7.8 - Traefik has an authentication bypass vulnerability in its `StripPrefixRegex` middleware when used in combination with `ForwardAuth`, `BasicAuth`, or `DigestAuth`. An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. CVE-2026-39858 with a CVSS score of 7.8 - Traefik's `ForwardAuth` and snippet-based authentication middleware have an authentication bypass vulnerability due to forwarded alias spoofing. Traefik's forwarded-header sanitization logic targets only canonical header names and does not strip or normalize alias variants that use underscores instead of dashes. CVE-2026-35051 with a CVSS score of 7.8 - Traefik's `ForwardAuth` middleware with `trustForwardHeader=false` allows spoofed `X-Forwarded-Prefix` to bypass authentication when Traefik is deployed behind a trusted upstream proxy.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Three high-severity authentication bypass vulnerabilities have been identified in Traefik’s routing and authentication middleware components, specifically affecting StripPrefixRegex and ForwardAuth functionality under certain deployment configurations. These issues arise from improper handling of URL normalization and trusted header processing, which can be abused to manipulate request routing, spoof forwarded headers, and bypass authentication controls. In particular, when Traefik is deployed behind trusted upstream proxies or configured with specific forwarding rules, attackers may exploit these weaknesses to gain unauthorized access to protected backend services without valid credentials. The overall impact is significant, as it directly undermines Traefik’s access control enforcement and increases the risk of full application-layer exposure. CVE-2026-40912 with a CVSS score of 7.8 - Traefik has an authentication bypass vulnerability in its `StripPrefixRegex` middleware when used in combination with `ForwardAuth`, `BasicAuth`, or `DigestAuth`. An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. CVE-2026-39858 with a CVSS score of 7.8 - Traefik's `ForwardAuth` and snippet-based authentication middleware have an authentication bypass vulnerability due to forwarded alias spoofing. Traefik's forwarded-header sanitization logic targets only canonical header names and does not strip or normalize alias variants that use underscores instead of dashes. CVE-2026-35051 with a CVSS score of 7.8 - Traefik's `ForwardAuth` middleware with `trustForwardHeader=false` allows spoofed `X-Forwarded-Prefix` to bypass authentication when Traefik is deployed behind a trusted upstream proxy.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update Traefik to below version: CVE-2026-40912: https://github.com/advisories/GHSA-6jwx-7vp4-9847 CVE-2026-39858: https://github.com/advisories/GHSA-5m6w-wvh7-57vm CVE-2026-35051: https://github.com/advisories/GHSA-6384-m2mw-rf54
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-6jwx-7vp4-9847
https://github.com/advisories/GHSA-5m6w-wvh7-57vm
https://github.com/advisories/GHSA-6384-m2mw-rf54