Denial of Service Vulnerability in Traefik HTTP Reverse Proxy and Load Balancer
CVE-2026-26998

4.4MEDIUM

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
5 March 2026

What is CVE-2026-26998?

Traefik, a popular HTTP reverse proxy and load balancer, has a vulnerability associated with the ForwardAuth middleware. When configured to utilize this middleware, Traefik reads the entire response body from the authentication server without imposing any size limitations. This flaw allows for the possibility of receiving a response body that is excessively large or unbounded. As a result, Traefik could potentially allocate an unlimited amount of memory, leading to an out-of-memory (OOM) condition that may crash the service and disrupt all routes being served. The issue has been resolved in Traefik versions 2.11.38 and 3.6.9.

Affected Version(s)

traefik < 2.11.38 < 2.11.38

traefik < 3.6.9 < 3.6.9

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v2.11.38
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.9
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.