CVE-2026-35051

10.0 CRITICAL
Published: April 30, 2026 Modified: May 01, 2026
View on NVD

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/traefik/traefik/releases/tag/v2.11.43
Source: security-advisories@github.com
Product Release Notes
https://github.com/traefik/traefik/releases/tag/v3.6.14
Source: security-advisories@github.com
Product Release Notes
https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
Source: security-advisories@github.com
Product Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54
Source: security-advisories@github.com
Exploit Patch Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
10.0 / 10.0
EPSS (Exploit Probability)
0.0%
3th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-345

Affected Vendors

traefik

Related CVEs

CVE-2026-43964 3.7
CVE-2026-42237 N/A
CVE-2026-42236 N/A
CVE-2026-42235 N/A
CVE-2026-42234 N/A