CVE-2026-33433

HIGH

Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField

Title source: cna

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.

References (4)

[X_Refsource_Misc] https://github.com/traefik/traefik/releases/tag/v2.11.42

[X_Refsource_Confirm] https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c

[X_Refsource_Misc] https://github.com/traefik/traefik/releases/tag/v3.6.11

[X_Refsource_Misc] https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3

Scores

CVSS v3 8.8

EPSS 0.0002

EPSS Percentile 6.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (6)

traefik/traefik 3.7.0 ea1 (2 CPE variants)

traefik/traefik < 2.11.42 (2 CPE variants)

traefik/traefik 0 - 2.11.42Go

traefik/traefik 3.0.0-beta1 - 3.6.12Go

traefik/traefik >= 3.0.0-beta1, < 3.6.11

traefik/traefik >= 3.7.0-ea.1, < 3.7.0-ea.3

Published Mar 27, 2026

Tracked Since Mar 29, 2026