CVE-2026-33433: Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
There is a potential vulnerability in Traefik’s Basic and Digest authentication middlewares when headerField is configured with a non-canonical HTTP header name.
An authenticated attacker with valid credentials can inject the canonical version of the configured header to impersonate any identity to the backend. Because Traefik writes the authenticated username using a non-canonical map key, it creates a separate header entry rather than overwriting the attacker’s canonical one — causing most backend frameworks to read the attacker-controlled value instead.
When headerField is configured with a non-canonical HTTP header name (e.g., x-auth-user instead of X-Auth-User), an authenticated attacker can inject a canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik’s non-canonical write.
Tested on Traefik v3.6.10.
References
- github.com/advisories/GHSA-qr99-7898-vr7c
- github.com/traefik/traefik
- github.com/traefik/traefik/releases/tag/v2.11.42
- github.com/traefik/traefik/releases/tag/v3.6.11
- github.com/traefik/traefik/releases/tag/v3.7.0-ea.3
- github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c
- nvd.nist.gov/vuln/detail/CVE-2026-33433
Code Behaviors & Features
Detect and mitigate CVE-2026-33433 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →