DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33433: CVE-2026-33433: Authentication Spoofing via Header Canonicalization Bypass in Traefik Middlewares

#security #cve #cybersecurity

CVE-2026-33433: Authentication Spoofing via Header Canonicalization Bypass in Traefik Middlewares

Vulnerability ID: CVE-2026-33433
CVSS Score: 5.1
Published: 2026-03-27

Traefik versions prior to 2.11.42, 3.6.12, and 3.7.0-ea.3 contain a vulnerability in the BasicAuth and DigestAuth middlewares. When configured with a non-canonical headerField name, attackers with valid low-privileged credentials can inject canonicalized headers to bypass authentication logic and spoof their identity to backend services.

TL;DR

A flaw in Go header map assignment allows authenticated attackers to bypass Traefik's authorization middlewares and spoof identities to backend services if non-canonical header names are used in the proxy configuration.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-290 (Authentication Bypass by Spoofing)
  • Attack Vector: Network
  • CVSS 4.0: 5.1 (Medium)
  • EPSS Score: 0.00011 (1.35th Percentile)
  • Exploit Status: Proof of Concept Available
  • CISA KEV: Not Listed

Affected Systems

  • Traefik Reverse Proxy
  • Traefik BasicAuth Middleware
  • Traefik DigestAuth Middleware
  • Traefik v2: < 2.11.42 (Fixed in: 2.11.42)
  • Traefik v3: >= 3.0.0-beta1, < 3.6.12 (Fixed in: 3.6.12)
  • Traefik v3 (Early Access): >= 3.7.0-ea.1, < 3.7.0-ea.3 (Fixed in: 3.7.0-ea.3)

Mitigation Strategies

  • Upgrade Traefik to a patched release version (2.11.42, 3.6.12, or 3.7.0-ea.3).
  • Update all headerField configuration directives to utilize Canonical-Casing (e.g., X-Auth-User instead of x-auth-user).
  • Deploy a requestHeader middleware to strip existing authentication headers before requests reach the auth middleware.

Remediation Steps:

  1. Audit Traefik configuration files (YAML/TOML/Labels) to identify all instances of BasicAuth and DigestAuth middlewares.
  2. Inspect the headerField property of each identified middleware to determine if non-canonical casing is in use.
  3. Schedule a maintenance window to upgrade the Traefik binary or container image to a patched version.
  4. If upgrading is delayed, modify the configuration files to enforce canonical casing for the headerField and restart the proxy service.
  5. Implement monitoring to detect requests containing duplicate or conflicting authentication headers.

References

Read the full report for CVE-2026-33433 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)