Main Vulnerability Database Vulnerabilities #VU129664

Allocation of Resources Without Limits or Throttling in Traefik - CVE-2026-26998

Published: May 5, 2026

Vulnerability identifier: #VU129664

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-26998

CWE-ID: CWE-770

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Traefik

Software vendor:
Containous

Description

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the ForwardAuth middleware when processing responses from the configured authentication server. A remote privileged user can send a request through a ForwardAuth-protected route to cause a denial of service.

Exploitation requires Traefik to be configured to use the ForwardAuth middleware, and the authentication server must return an unexpectedly large or unbounded response body.

Remediation

Install security update from vendor's website.

External links

https://github.com/traefik/traefik/security/advisories/GHSA-fw45-f5q2-2p4x

Allocation of Resources Without Limits or Throttling in Traefik - CVE-2026-26998

Description

Remediation

External links

Please verify you're human