Insufficient verification of data authenticity in Traefik - CVE-2026-35051
Published: May 5, 2026
Vulnerability identifier: #VU129677
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-35051
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Traefik
Traefik
Software vendor:
Containous
Containous
Description
The vulnerability allows a remote attacker to bypass authentication and gain unauthorized access to protected backend routes.
The vulnerability exists due to insufficient verification of data authenticity in the ForwardAuth middleware when processing authentication subrequests behind a trusted upstream proxy with trustForwardHeader=false. A remote attacker can supply a spoofed X-Forwarded-Prefix header to bypass authentication and gain unauthorized access to protected backend routes.
Exploitation is security-relevant when the authentication service relies on X-Forwarded-Prefix for authorization or routing decisions, especially when StripPrefix runs before ForwardAuth.
Remediation
Install security update from vendor's website.