Cyber Resilience

CVE-2026-29054

High

Published: 05 March 2026

Published
05 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0001 2.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29054 is a high-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Traefik Traefik. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-29054 is a vulnerability in Traefik, an HTTP reverse proxy and load balancer, affecting versions 2.11.9 through 2.11.37 and 3.1.3 through 3.6.8. The issue stems from incorrect handling of case sensitivity in Traefik's protection mechanism for X-Forwarded headers, such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, and others. When processing HTTP/1.1 requests, Traefik compares Connection header tokens case-sensitively against protected header names but deletes headers case-insensitively, enabling attackers to bypass the safeguard.

A remote unauthenticated attacker can exploit this vulnerability by crafting HTTP requests with lowercase Connection tokens, such as "Connection: x-real-ip", to remove Traefik-managed X-Forwarded identity headers before they reach backend services. This allows the attacker to strip critical client information like real IP addresses or hosts, potentially enabling IP spoofing or other integrity violations against downstream applications. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-178 (Improper Handling of Case Sensitivity).

Traefik has patched the issue in versions 2.11.38 and 3.6.9. Administrators should upgrade to these releases to mitigate the vulnerability. Additional details, including patch notes, are provided in the GitHub security advisory GHSA-92mv-8f8w-wq52 and release announcements for v2.11.38 and v3.6.9.

EU & UK References

Vulnerability details

Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the…

more

protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

CVE directly describes remote exploitation of a public-facing proxy (T1190) to bypass header protections and manipulate X-Forwarded headers in transit, achieving integrity impact via IP spoofing (T1565.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35051Same product: Traefik Traefik
CVE-2026-39858Same product: Traefik Traefik
CVE-2026-32695Same product: Traefik Traefik
CVE-2025-54386Same product: Traefik Traefik
CVE-2026-40912Same product: Traefik Traefik
CVE-2026-33433Same product: Traefik Traefik
CVE-2026-22045Same product: Traefik Traefik
CVE-2026-25949Same product: Traefik Traefik
CVE-2026-26999Same product: Traefik Traefik
CVE-2026-27588Shared CWE-178

Affected Assets

traefik
traefik
2.11.9 — 2.11.38 · 3.1.3 — 3.6.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of HTTP headers to reject malformed or manipulative Connection tokens that bypass case-sensitive checks on X-Forwarded headers.

prevent

Enforces correct information flow rules for security-relevant headers (X-Real-Ip, X-Forwarded-Host, etc.) so they cannot be stripped by crafted Connection values.

prevent

Protects transmission of security attributes carried in X-Forwarded headers, ensuring they reach back-end services without unauthorized removal.

References