CVE-2026-39858: Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
(updated )
There is a high severity authentication bypass vulnerability in Traefik’s ForwardAuth and snippet-based authentication middleware. Traefik’s forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials.
An authentication bypass arises from chaining two bugs: incomplete forwarded-header sanitization at ingress and overly permissive header forwarding in pre-auth subrequests. While canonical X-Forwarded-* headers are handled, alias variants (e.g., underscore forms) are neither normalized nor stripped consistently. When downstream auth services normalize these headers, attackers can inject trusted context and bypass authentication on protected routes without credentials.
References
- github.com/advisories/GHSA-5m6w-wvh7-57vm
- github.com/traefik/traefik
- github.com/traefik/traefik/releases/tag/v2.11.43
- github.com/traefik/traefik/releases/tag/v3.6.14
- github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
- github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm
- nvd.nist.gov/vuln/detail/CVE-2026-39858
Code Behaviors & Features
Detect and mitigate CVE-2026-39858 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →