Traefik, Authentication Bypass via ForwardAuth, High

Listen to this Post

The vulnerability (no assigned CVE but described as high severity) lies in Traefik’s ForwardAuth middleware when `trustForwardHeader=false` is set and Traefik runs behind a trusted upstream proxy. The `writeHeader` function in `pkg/middlewares/auth/forward.go` copies all incoming request headers into the auth subrequest. Then it selectively rebuilds a subset of `X-Forwarded-` headers (e.g., X-Forwarded-For, X-Forwarded-Host) but does not rebuild or remove X-Forwarded-Prefix. An attacker can send a spoofed `X-Forwarded-Prefix: /admin` header. When `StripPrefix` middleware runs before ForwardAuth, Traefik appends the stripped prefix (e.g., /forbidden) using Header.Add. The auth service receives both headers in order: attacker’s `/admin` then Traefik’s /forbidden. Many auth services take the first value, thus thinking the request originated from `/admin` instead of /forbidden. Since `trustForwardHeader=false` is supposed to discard untrusted forwarded headers, this breaks the trust boundary. Direct requests to Traefik (without a proxy) correctly ignore the spoofed header and return 403. But when the request passes through a trusted upstream proxy that sets `X-Forwarded-For` etc., Traefik accepts the proxy as trusted and forwards the attacker’s `X-Forwarded-Prefix` untouched to the auth service. The PoC uses Traefik v3.6.12, Nginx as trusted proxy, and a Python auth server that authorizes only /admin. Spoofing `/admin` grants access to /forbidden/test, proving bypass.
Platform: Traefik
Version: v3.6.12
Vulnerability: Auth Bypass
Severity: High
date: 2026-04-24

Prediction: Unknown within 30d

What Undercode Say:

Create traefik.toml with trusted IPs
cat > traefik.toml <<EOF
[entryPoints.web]
address = ":80"
[entryPoints.web.forwardedHeaders]
trustedIPs = ["172.31.79.0/24"]
[providers.file]
filename = "/etc/traefik/dynamic.toml"
EOF
dynamic.toml with strip-prefix then forwardAuth
cat > dynamic.toml <<EOF
[http.routers.app]
rule = "Host(\`app.local\`) && PathPrefix(\`/forbidden\`)"
middlewares = ["strip-forbidden", "authz"]
service = "backend"
[http.middlewares.strip-forbidden.stripPrefix]
prefixes = ["/forbidden"]
[http.middlewares.authz.forwardAuth]
address = "http://auth:8000/check"
trustForwardHeader = false
EOF
Spoofed request through trusted proxy (bypass)
curl -H 'Host: app.local' -H 'X-Forwarded-Prefix: /admin' http://127.0.0.1:18080/forbidden/test

Exploit:

Attacker places a reverse proxy (e.g., Nginx) on a trusted IP range defined in Traefik’s trustedIPs. The proxy forwards any client request. Attacker sends `X-Forwarded-Prefix: /admin` to the proxy. Traefik sees the proxy as trusted, copies the malicious header into the auth subrequest without stripping it. StripPrefix later appends the real prefix (/forbidden), but the auth service uses the first value (/admin) and grants access to `/forbidden` routes.

Protection from this CVE:

Upgrade Traefik to a patched version (v3.6.13+ or v3.7+ where `X-Forwarded-Prefix` is rebuilt or removed when trustForwardHeader=false). As a workaround, configure `authRequestHeaders` to explicitly exclude X-Forwarded-Prefix, or override it in the auth service to always ignore the first value and use the last (Traefik-generated) prefix. Alternatively, avoid using `StripPrefix` together with `ForwardAuth` until patched.

Impact:

Unauthenticated remote attacker bypasses path-based authorization, accessing protected backend routes that should be forbidden. Affects any deployment where Traefik sits behind a trusted proxy, uses `ForwardAuth` with trustForwardHeader=false, and the auth server reads `X-Forwarded-Prefix` for decisions. Complete authentication bypass leading to data exposure or unauthorized actions.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top