Traefik, Information Disclosure, (No CVE) Medium

By /

Listen to this Post

How the mentioned CVE works: Traefik v3.6.13 errors middleware copies full original request headers including Authorization and Cookie to a separate error page service when backend returns 500-599. Root cause in pkg/middlewares/customerrors/custom_errors.go:151-160: default branch calls utils.CopyHeaders(pageReq.Header, req.Header) unless NginxHeaders branch explicitly used. Documentation only mentions Host forwarded, no warning about credentials. Business router audit-customerrors@docker uses middleware audit-leak@docker with errors.status=500-599, errors.service=audit-error, errors.query=/collect. Backend returns 500, Traefik creates secondary request to error service, copies Authorization and Cookie headers. This breaks confidentiality boundary between backend chain and error page service. Attackers can trigger error status (e.g., forced 500) to exfiltrate tokens. No api.insecure or debug mode required. Default behavior copies entire header map including sensitive auth material. Error service receives leaked credentials as JSON response.

dailycve form:

Platform: Traefik
Version: v3.6.13
Vulnerability: Header disclosure
Severity: Medium
date: 2026-04-13

Prediction: 2026-04-20

What Undercode Say:

Check if errors middleware is used with separate service
traefik version | grep "Version: v3.6.13"
docker inspect <container> | grep -A5 "errors.service"
Simulate leak with curl (backend returns 500)
curl -H "Authorization: Bearer secret" -H "Cookie: session=abc" http://localhost:28080/audit-customerrors
Python PoC snippet
import urllib.request
req = urllib.request.Request("http://localhost:28080/trigger500")
req.add_header("Authorization", "Bearer token")
req.add_header("Cookie", "sessionid=value")
urllib.request.urlopen(req)

Exploit:

Force any backend route to return 500-599 (e.g., trigger application error). Traefik automatically forwards original Authorization and Cookie headers to error service endpoint (e.g., /collect). Attacker controls error service or observes logs to capture bearer tokens and session cookies.

Protection from this CVE

Upgrade to Traefik v2.11.44, v3.6.15, or v3.7.0-rc.3+. Alternatively, enable NginxHeaders branch with explicit allowlist. Strip sensitive headers manually before error page request.

Impact

Bearer tokens and session cookies leaked to separate error service, enabling unauthorized API access or account takeover across service boundaries.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top