CVE-2026-35051

Summary

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

Affected Software

VendorProductVersion RangeStatus
traefiktraefik< 2.11.43affected
traefiktraefik>= 3.0.0-beta1, < 3.6.14affected
traefiktraefik>= 3.7.0-ea.1, < 3.7.0-rc.2affected

Weaknesses

  • CWE-345: CWE-345: Insufficient Verification of Data Authenticity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

Traefik: github.com/traefik/traefik: Traefik: Authentication bypass in ForwardAuth middleware

Additional References

References