Listen to this Post
The vulnerability, identified as CVE-2026-26998, resides in how Traefik, a popular HTTP reverse proxy and load balancer, handles responses from an authentication server when the ForwardAuth middleware is enabled . In versions prior to 2.11.38 and 3.6.9, Traefik reads the entire response body from the authentication server into memory without applying any size limits . The code uses an unbounded read operation (similar to an `io.ReadAll` call) which lacks a `maxResponseBodySize` configuration to restrict data intake . Consequently, if the authentication server is compromised, misconfigured, or malicious, and returns an excessively large or infinite response body, Traefik will continue to allocate system memory to accommodate the incoming data . This uncontrolled memory allocation can exhaust the available memory on the host, leading to an out-of-memory (OOM) condition . When the Traefik process is killed by the system’s OOM killer, it results in a complete denial of service (DOS) for all routes and services being proxied by that instance . The issue is classified under CWE-770, which pertains to the allocation of resources without limits or throttling . The attack vector is network-based, requires high privileges, and has high complexity, but successfully exploiting it leads to a high availability impact . The fix was implemented and released in versions 2.11.38 and 3.6.9 .
Platform: Traefik
Version: <2.11.38,<3.6.9
Vulnerability : Unbounded Memory Read
Severity: Moderate (CVSS:4.4)
date: 2026-03-05
Prediction: Patched 2026-03-05
What Undercode Say:
Analytics
The vulnerability (CWE-770) has a CVSS:3.1 score of 4.4 (AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H) . This indicates a moderate severity with a high impact on availability, though it requires high privileges to exploit. The issue was fixed in patch releases 2.11.38 and 3.6.9 on March 5, 2026 .
How Exploit
A malicious actor with control over the authentication server response, or capable of man-in-the-middle (MITM) attacks between Traefik and the auth server, can send a response with a large or infinite body.
Example using curl to simulate a malicious auth server response (for educational purposes only). This command sends a large amount of data to a connecting Traefik instance. (Do not run this against production systems.) head -c 1000000000 /dev/zero | curl -H "Content-Type: text/plain" --data-binary @- http://target-traefik:8080/auth-endpoint
Protection from this CVE
The primary protection is to upgrade Traefik to a patched version.
Upgrade Traefik to the patched version For Docker users: docker pull traefik:v3.6.9 docker stop <your_traefik_container> docker run --name traefik-updated -d traefik:v3.6.9 For users installing from binaries, download the updated version: wget https://github.com/traefik/traefik/releases/download/v3.6.9/traefik_v3.6.9_linux_amd64.tar.gz tar -xzf traefik_v3.6.9_linux_amd64.tar.gz sudo mv traefik /usr/local/bin/ sudo systemctl restart traefik Verify the installed version: traefik version
Impact
Successful exploitation leads to a Denial of Service (DoS). The Traefik process crashes due to memory exhaustion (OOM), causing all proxied services to become unavailable until the process is restarted . This disrupts traffic for all routes handled by that Traefik instance.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
Traefik, Header Manipulation, CVE-2026-29054 (High)