CVE-2026-41181 Overview
CVE-2026-41181 is an information disclosure vulnerability in Traefik, an HTTP reverse proxy and load balancer. The flaw resides in the errors middleware, which renders custom error pages when backends return responses within a configured status range. When triggered, the middleware forwards the complete header set from the original client request, including Authorization, Cookie, and other authentication material, to the separate error page service. Traefik documentation only states that the Host header is forwarded by default, so operators are not warned that credentials traverse service boundaries. The issue affects all releases prior to 2.11.44, 3.6.15, and 3.7.0-rc.3.
Critical Impact
End-user credentials and session tokens can be exposed to error page infrastructure that was never intended to receive them, enabling downstream credential harvesting or replay attacks.
Affected Products
- Traefik versions prior to 2.11.44
- Traefik versions prior to 3.6.15
- Traefik 3.7.0-ea1, 3.7.0-ea2, 3.7.0-ea3, 3.7.0-rc1, 3.7.0-rc2
Discovery Timeline
- 2026-05-15 - CVE-2026-41181 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-41181
Vulnerability Analysis
Traefik's errors middleware intercepts backend responses whose status codes fall within an operator-defined range and redirects rendering to a configured error page service. The intent is to deliver branded or templated error pages without exposing backend failures to clients. The middleware should forward only the minimal context required to render the error page, such as the request path or status code.
Instead, the middleware proxies the full header set from the inbound client request to the error page service. This includes any Authorization bearer tokens, session Cookie values, API keys carried in custom headers, and other sensitive material. The information disclosure is classified under [CWE-201]: Insertion of Sensitive Information Into Sent Data.
Root Cause
The root cause is an undocumented design decision in the middleware's request construction logic. When building the subrequest to the error page service, Traefik copies the original request headers wholesale rather than constructing a minimized request scoped to error rendering. Operators who deploy a distinct error page service, common in microservice architectures, implicitly trust that only metadata flows there, because the documentation states that only Host is forwarded by default.
Attack Vector
Exploitation does not require an active attacker. Any backend response that matches the configured status range causes the original request headers to flow to the error page service. An operator running a third-party or lower-trust error page container receives credentials belonging to end users of the protected applications. A malicious or compromised error page service can log, exfiltrate, or replay those credentials against the originating backends. Network-based attackers who can induce error responses, for example by crafting requests that trigger 401, 403, or 5xx codes, can amplify exposure on demand.
Detection Methods for CVE-2026-41181
Indicators of Compromise
- Presence of Authorization, Cookie, or session header values in access logs of the error page service.
- Outbound requests from the error page service to unexpected destinations carrying credential material.
- Error page service container images or sidecars from third-party or unaudited sources receiving inbound traffic from Traefik.
Detection Strategies
- Audit Traefik dynamic configuration for errors middleware definitions referencing an external service and identify whether that service handles sensitive headers.
- Inspect HTTP traffic between Traefik and the configured error page service for headers beyond Host, particularly authentication headers.
- Review the error page service application logs and request handlers for any code paths that read, store, or forward Authorization or Cookie headers.
Monitoring Recommendations
- Enable verbose access logging on the error page service and alert on the presence of authentication headers in incoming requests.
- Monitor for new or modified errors middleware definitions in Traefik configuration sources such as Kubernetes IngressRoute or Consul KV.
- Track Traefik version inventory across environments and flag instances running releases prior to the fixed versions.
How to Mitigate CVE-2026-41181
Immediate Actions Required
- Upgrade Traefik to 2.11.44, 3.6.15, or 3.7.0-rc.3 or later, depending on the deployed branch.
- Rotate any credentials, session tokens, and API keys that may have been forwarded to the error page service during the exposure window.
- Review error page service logs for credential material and purge captured headers from persistent storage.
Patch Information
The vendor has published fixes in GitHub Release v2.11.44, GitHub Release v3.6.15, and GitHub Release v3.7.0-rc.3. Full details are in GitHub Security Advisory GHSA-p6hg-qh38-555r.
Workarounds
- Replace external error page services with Traefik's built-in static error responses where feasible, eliminating cross-service header forwarding.
- Co-locate the error page service in the same trust boundary as the backends so that header exposure does not cross security domains.
- Deploy a downstream filter, such as a sidecar or intermediate proxy, that strips Authorization, Cookie, and other sensitive headers before traffic reaches the error page service.
# Configuration example: pin Traefik to a fixed version in Kubernetes
helm upgrade traefik traefik/traefik \
--set image.tag=v3.6.15 \
--namespace traefik
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
