Insufficient verification of data authenticity in Traefik - CVE-2026-35051
Published: May 5, 2026
Vulnerability identifier: #VU129677
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-35051
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Containous
Affected software:
Traefik
Traefik
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication and gain unauthorized access to protected backend routes.
The vulnerability exists due to insufficient verification of data authenticity in the ForwardAuth middleware when processing authentication subrequests behind a trusted upstream proxy with trustForwardHeader=false. A remote attacker can supply a spoofed X-Forwarded-Prefix header to bypass authentication and gain unauthorized access to protected backend routes.
Exploitation is security-relevant when the authentication service relies on X-Forwarded-Prefix for authorization or routing decisions, especially when StripPrefix runs before ForwardAuth.
How to mitigate CVE-2026-35051
Install security update from vendor's website.