CVE-2026-29054
Published: 05 March 2026
Summary
CVE-2026-29054 is a high-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Traefik Traefik. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes remote exploitation of a public-facing proxy (T1190) to bypass header protections and manipulate X-Forwarded headers in transit, achieving integrity impact via IP spoofing (T1565.002).
NVD Description
Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the…
more
protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9.
Deeper analysisAI
CVE-2026-29054 is a vulnerability in Traefik, an HTTP reverse proxy and load balancer, affecting versions 2.11.9 through 2.11.37 and 3.1.3 through 3.6.8. The issue stems from incorrect handling of case sensitivity in Traefik's protection mechanism for X-Forwarded headers, such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, and others. When processing HTTP/1.1 requests, Traefik compares Connection header tokens case-sensitively against protected header names but deletes headers case-insensitively, enabling attackers to bypass the safeguard.
A remote unauthenticated attacker can exploit this vulnerability by crafting HTTP requests with lowercase Connection tokens, such as "Connection: x-real-ip", to remove Traefik-managed X-Forwarded identity headers before they reach backend services. This allows the attacker to strip critical client information like real IP addresses or hosts, potentially enabling IP spoofing or other integrity violations against downstream applications. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-178 (Improper Handling of Case Sensitivity).
Traefik has patched the issue in versions 2.11.38 and 3.6.9. Administrators should upgrade to these releases to mitigate the vulnerability. Additional details, including patch notes, are provided in the GitHub security advisory GHSA-92mv-8f8w-wq52 and release announcements for v2.11.38 and v3.6.9.
Details
- CWE(s)