CVE-2026-39858
Published: 30 April 2026
Summary
CVE-2026-39858 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Traefik Traefik. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying vendor security patches to vulnerable Traefik versions directly remediates the header sanitization flaw enabling authentication bypass.
Validating and sanitizing all HTTP header variants, including underscore aliases like X_Forwarded_Proto, prevents injection of spoofed trust context to bypass authentication backends.
Boundary protection at reverse proxies like Traefik enforces filtering of unauthorized or malformed headers to mitigate spoofing of forwarded trust information.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing Traefik reverse proxy via header spoofing directly enables exploitation of public-facing application for unauthorized access.
NVD Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names…
more
(e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Deeper analysisAI
CVE-2026-39858 is a high-severity authentication bypass vulnerability affecting Traefik, an open-source HTTP reverse proxy and load balancer. The issue resides in Traefik's ForwardAuth and snippet-based authentication middleware in versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2. Traefik's forwarded-header sanitization logic only targets canonical header names, such as X-Forwarded-Proto, and fails to strip or normalize alias variants using underscores instead of dashes, like X_Forwarded_Proto. These unsanitized alias headers are passed intact to the authentication backend, enabling exploitation when the backend treats underscore and dash variants equivalently.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network, as indicated by its CVSS 3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). By injecting spoofed trust context—such as a trusted scheme or host—via these alias headers, an attacker can trick the authentication backend into granting access to protected routes without valid credentials, potentially leading to unauthorized confidentiality and integrity impacts.
Traefik has addressed the vulnerability in patched versions 2.11.43, 3.6.14, and 3.7.0-rc.2, with release notes and a security advisory available on GitHub detailing the fixes. Security practitioners should prioritize upgrading affected Traefik instances to mitigate the risk, as outlined in the official advisories at the provided release tags and GHSA-5m6w-wvh7-57vm.
Details
- CWE(s)