CVE-2026-33433

UNKNOWN 0.0

Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

1th

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.

CWE	CWE-290
Vendor	traefik
Product	traefik
Published	Mar 27, 2026
Last Updated	Mar 30, 2026

Stay Ahead of the Next One

Get instant alerts for traefik traefik

Be the first to know when new unknown vulnerabilities affecting traefik traefik are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

traefik / traefik

< 2.11.42 >= 3.0.0-beta1, < 3.6.11 >= 3.7.0-ea.1, < 3.7.0-ea.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c github.com: https://github.com/traefik/traefik/releases/tag/v2.11.42 github.com: https://github.com/traefik/traefik/releases/tag/v3.6.11 github.com: https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3