CVE-2026-35051

UNKNOWN 0.0

Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

CWE	CWE-345
Vendor	traefik
Product	traefik
Published	Apr 30, 2026

Stay Ahead of the Next One

Get instant alerts for traefik traefik

Be the first to know when new unknown vulnerabilities affecting traefik traefik are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

traefik / traefik

< 2.11.43 >= 3.0.0-beta1, < 3.6.14 >= 3.7.0-ea.1, < 3.7.0-rc.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54 github.com: https://github.com/traefik/traefik/releases/tag/v2.11.43 github.com: https://github.com/traefik/traefik/releases/tag/v3.6.14 github.com: https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2