CVE-2026-33433
Published: 27 March 2026
Summary
CVE-2026-33433 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Traefik Traefik. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by applying vendor patches (2.11.42, 3.6.11, 3.7.0-ea.3) that fix Traefik's header canonicalization handling in headerField configurations.
Validates incoming HTTP headers to block attacker-injected canonical headers that override Traefik's non-canonical writes, preventing impersonation.
Enforces boundary protections at the reverse proxy to monitor and filter HTTP traffic, reducing risk of header manipulation exploits reaching backends.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Traefik proxy enables remote exploitation (T1190) via crafted canonical headers to spoof/override auth identities (T1656), allowing low-priv authenticated users to escalate privileges against backends (T1068).
NVD Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version…
more
of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.
Deeper analysisAI
CVE-2026-33433 is a vulnerability in Traefik, an HTTP reverse proxy and load balancer, affecting versions prior to 2.11.42, 3.6.11, and 3.7.0-ea.3. The issue occurs when the `headerField` configuration uses a non-canonical HTTP header name, such as `x-auth-user` instead of `X-Auth-User`. In this scenario, Traefik writes a non-canonical header, but the backend receives duplicate entries where the canonical version takes precedence, enabling header override. It is classified under CWE-290 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By injecting a canonical version of the header (e.g., `X-Auth-User`), the attacker overrides Traefik's intended non-canonical header, as the backend processes the injected canonical header first. This allows the attacker to impersonate any identity passed to backend services, potentially leading to unauthorized access, data compromise, or other high-impact actions on confidentiality, integrity, and availability.
Traefik's security advisory (GHSA-qr99-7898-vr7c) and release notes for versions 2.11.42, 3.6.11, and 3.7.0-ea.3 confirm that these updates patch the vulnerability by addressing the header canonicalization handling in `headerField` configurations. Security practitioners should prioritize upgrading affected Traefik instances to one of these patched versions to mitigate the risk.
Details
- CWE(s)