Traefik, Authentication Bypass, CVE(Not provided) (High)

Listen to this Post

How the mentioned CVE works

The vulnerability chains two flaws in Traefik’s request handling. First, Traefik sanitizes only canonical forwarded headers (e.g., X-Forwarded-Proto) but ignores underscore aliases like X_Forwarded_Proto. This happens because the ingress header list in `pkg/middlewares/forwardedheaders/forwarded_header.goL29-L36` defines only dash‑based names. Second, during ForwardAuth or snippet‑based auth, Traefik copies all client headers into the auth subrequest (pkg/middlewares/auth/forward.goL401-L408 and pkg/middlewares/ingressnginx/snippet/snippet.goL574-L581), with no normalization or deduplication. Only hop‑by‑hop headers are removed, so attacker‑supplied alias headers reach the auth backend intact. If that backend normalizes header names (treating underscores and dashes as equivalent), it will accept the aliases as legitimate trust context. An attacker can then inject `X_Forwarded_Proto: https` or similar aliases to satisfy authentication checks, bypassing both ingress sanitization and auth verification. The result is unauthorized access to protected routes without credentials, effectively undermining the entire ForwardAuth mechanism.

dailycve form

Platform: Traefik proxy
Version: Multiple versions
Vulnerability: Authentication bypass
Severity: High
date: 2026-04-24

Prediction: Unknown patch date

What Undercode Say:

Check for alias header forwarding in Traefik logs
grep -i "x_forwarded_" /var/log/traefik/access.log
Test exploit with curl (assuming auth backend normalizes headers)
curl -H "X_Forwarded_Proto: https" -H "X_Forwarded_Host: trusted.example" http://target/protected
Simulate header copying in ForwardAuth (from source)
grep -A5 "CopyHeaders" pkg/middlewares/auth/forward.go
Remediation: strip alias headers using middleware config
traefik --middlewares.strip-alias-headers.headers.customRequestHeaders.X_Forwarded_Proto=""

how Exploit:

Send a single HTTP request containing underscore versions of trusted forwarded headers (e.g., X_Forwarded_Proto, X_Forwarded_Host) to a protected route. The proxy forwards these aliases to the auth backend unchanged. When the backend normalizes them to canonical dash‑forms, the spoofed values satisfy trust predicates (HTTPS, allowed host), granting access without valid credentials.

Protection from this CVE

  • Strip or reject all underscore‑based alias headers at ingress before any auth processing.
  • Regenerate forwarded headers from trusted sources (e.g., TLS termination) instead of trusting client input.
  • Use an explicit allowlist of headers forwarded to auth backends (do not copy all headers).
  • Normalize header names to a single canonical form (dashes) early in the request pipeline.

Impact:

Unauthenticated attackers can bypass proxy‑level authentication, access protected backend endpoints, and interact with internal services as if fully authenticated, exposing sensitive data and functionality.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top