Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54764

CVE-2026-54764: Traefik Auth Bypass Vulnerability

CVE-2026-54764 is an authentication bypass flaw in Traefik's ForwardAuth middleware that allows attackers to circumvent port-based authorization checks. This article covers the technical details, affected versions, and mitigations.

Published:

CVE-2026-54764 Overview

CVE-2026-54764 is a header injection vulnerability in Traefik, an open-source HTTP reverse proxy and load balancer. The flaw resides in the ForwardAuth middleware, which derives the X-Forwarded-Port header sent to the authentication service from the original incoming request rather than the sanitized forwarded request. This behavior persists even when operators explicitly configure trustForwardHeader: false. An unauthenticated remote attacker can inject an X-Forwarded-Proto: https header over a plain HTTP connection, causing Traefik to forward X-Forwarded-Port: 443 to the authentication service. The result is a bypass of port-based authorization checks. The issue is resolved in Traefik v2.11.51, v3.6.22, and v3.7.6.

Critical Impact

Remote unauthenticated attackers can bypass port-based authorization decisions enforced by ForwardAuth backends by injecting forwarded headers over plain HTTP.

Affected Products

  • Traefik versions prior to v2.11.51
  • Traefik versions prior to v3.6.22
  • Traefik versions prior to v3.7.6

Discovery Timeline

  • 2026-07-06 - CVE-2026-54764 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-54764

Vulnerability Analysis

The defect is classified under [CWE-345] Insufficient Verification of Data Authenticity. Traefik's ForwardAuth middleware forwards a subset of request headers to an external authentication service, which then decides whether the request is authorized. Operators use trustForwardHeader: false to instruct Traefik to strip attacker-controlled forwarded headers and rebuild them from the observed connection.

In vulnerable releases, the X-Forwarded-Port value passed to the auth service is computed from the original inbound request headers rather than from the sanitized forwardReq object. An attacker can therefore send X-Forwarded-Proto: https over a plain HTTP listener and cause Traefik to emit X-Forwarded-Port: 443 to the backend. Authorization policies that trust this value to gate access to sensitive routes fail open.

Root Cause

The root cause is a parameter mismatch in pkg/middlewares/auth/forward.go. The forwardedPort helper was invoked against the original request only, ignoring the sanitized forwarded request that already had untrusted headers removed when trustForwardHeader was disabled.

Attack Vector

An unauthenticated attacker sends an HTTP request to a Traefik router protected by ForwardAuth. By setting X-Forwarded-Proto: https in the request, the attacker manipulates the port value forwarded to the authentication backend. If the backend authorizes requests based on the assumed HTTPS/443 context, the attacker gains access to resources intended to be restricted to properly authenticated TLS clients.

go
	}

	if _, ok := forwardReq.Header[forwardedheaders.XForwardedPort]; !ok {
-		forwardReq.Header.Set(forwardedheaders.XForwardedPort, forwardedPort(req))
+		forwardReq.Header.Set(forwardedheaders.XForwardedPort, forwardedPort(req, forwardReq))
	}

	if _, ok := forwardReq.Header[forwardedheaders.XForwardedHost]; !ok {

Source: Traefik commit 7ae92d8c. The patch passes the sanitized forwardReq to forwardedPort, so the emitted port reflects the trusted forwarded request context rather than the raw attacker-controlled headers.

Detection Methods for CVE-2026-54764

Indicators of Compromise

  • Inbound HTTP requests containing an X-Forwarded-Proto: https header arriving on a plain HTTP listener.
  • Authentication service logs showing X-Forwarded-Port: 443 for requests whose upstream connection was HTTP.
  • Unexpected 200 responses from ForwardAuth-protected routes preceded by requests missing valid session or bearer tokens.

Detection Strategies

  • Correlate Traefik access logs with authentication backend logs to identify mismatches between the observed TCP listener port and the X-Forwarded-Port value delivered to the auth service.
  • Alert on external clients supplying X-Forwarded-* headers to public-facing entrypoints, since these should originate only from trusted upstream proxies.
  • Track Traefik build versions across the fleet and flag any instance running a release earlier than v2.11.51, v3.6.22, or v3.7.6.

Monitoring Recommendations

  • Ingest Traefik and ForwardAuth service logs into a centralized analytics platform and baseline normal header distributions.
  • Enable request-level tracing across the proxy and auth service to make header propagation auditable.
  • Monitor for anomalous authorization successes from unauthenticated source IP ranges on routes protected by port-conditional policies.

How to Mitigate CVE-2026-54764

Immediate Actions Required

  • Upgrade Traefik to v2.11.51, v3.6.22, or v3.7.6 or later depending on the deployed branch.
  • Audit ForwardAuth-protected routes and confirm that authorization decisions do not silently trust X-Forwarded-Port or X-Forwarded-Proto values.
  • Restrict acceptance of X-Forwarded-* headers to requests originating from known upstream proxies.

Patch Information

The fix is delivered in Traefik v2.11.51, v3.6.22, and v3.7.6. Refer to the GitHub Security Advisory GHSA-3q9r-p662-5j8m and the upstream commit 7ae92d8c for the code change.

Workarounds

  • Terminate TLS in front of Traefik and reject inbound X-Forwarded-Proto and X-Forwarded-Port headers at the edge until the upgrade is applied.
  • Reconfigure the authentication backend to derive protocol and port information from the underlying transport rather than from forwarded headers.
  • Disable or bypass port-conditional authorization rules until the patched Traefik version is deployed.
bash
# Verify the running Traefik version
traefik version

# Example Helm upgrade to a patched release
helm upgrade traefik traefik/traefik --version <patched-chart-version> \
  --set image.tag=v3.7.6

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.