Improper Handling of Case Sensitivity in Traefik - CVE-2026-54763
Published: July 3, 2026
Traefik
Detailed vulnerability description
The vulnerability allows a remote user to spoof identity or authorization context.
The vulnerability exists due to improper handling of case sensitivity in BasicAuth, DigestAuth, ForwardAuth, and ingress-nginx snippet authResponseHeaders handling when processing underscore-variant identity headers. A remote user can send a specially crafted request with underscore-variant headers to spoof identity or authorization context.
In the ForwardAuth authResponseHeaders path, exploitation does not require credentials.