SB2026050531 - Multiple vulnerabilities in Traefik

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050531

SB2026050531 - Multiple vulnerabilities in Traefik

Published: May 5, 2026

Security Bulletin ID SB2026050531
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-26998)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the ForwardAuth middleware when processing responses from the configured authentication server. A remote privileged user can send a request through a ForwardAuth-protected route to cause a denial of service.

Exploitation requires Traefik to be configured to use the ForwardAuth middleware, and the authentication server must return an unexpectedly large or unbounded response body.


2) Resource exhaustion (CVE-ID: CVE-2026-26999)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the TCP router TLS handshake handling in (*Router).ServeTCP when processing TLS connections on TCP routers. A remote attacker can send an incomplete TLS record and stop further data transmission to cause a denial of service.

By opening many stalled connections in parallel, file descriptors and goroutines can be exhausted, degrading availability of services on the affected entrypoint.


3) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-29054)

The vulnerability allows a remote attacker to bypass downstream header-based authentication, authorization, routing, or scheme decisions.

The vulnerability exists due to improper handling of case sensitivity in the XForwarded middleware removeConnectionHeaders function when processing HTTP/1.1 requests with client-supplied Connection header tokens. A remote attacker can send a specially crafted request with lowercase Connection tokens to bypass downstream header-based authentication, authorization, routing, or scheme decisions.

This issue can remove Traefik-managed forwarded identity headers such as X-Real-Ip and X-Forwarded-* before they reach downstream services.


Remediation

Install update from vendor's website.

References