CVE-2026-26998: Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS

March 4, 2026 (updated March 5, 2026)

The ForwardAuth middleware reads the entire authentication server response body into memory using io.ReadAll with no size limit. A single HTTP request through a ForwardAuth-protected route can cause the Traefik process to allocate gigabytes of memory and be killed by the OOM killer, resulting in complete denial of service for all routes on the affected entrypoint.

References

github.com/advisories/GHSA-fw45-f5q2-2p4x
github.com/traefik/traefik
github.com/traefik/traefik/releases/tag/v2.11.38
github.com/traefik/traefik/releases/tag/v3.6.9
github.com/traefik/traefik/security/advisories/GHSA-fw45-f5q2-2p4x
nvd.nist.gov/vuln/detail/CVE-2026-26998

Code Behaviors & Features

Detect and mitigate CVE-2026-26998 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →