HTTP Reverse Proxy Vulnerability in Traefik by Traefik Labs
CVE-2026-33433

5.1MEDIUM

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
27 March 2026

What is CVE-2026-33433?

Traefik, an HTTP reverse proxy and load balancer developed by Traefik Labs, has a vulnerability that allows authenticated attackers to exploit header field configurations. When non-canonical HTTP header names are used, such as 'x-auth-user' instead of 'X-Auth-User', attackers can inject their canonical versions of these headers. As a result, the backend processes the attacker-injected headers first, potentially allowing the attacker to impersonate any user identity. This vulnerability affects several versions of Traefik, and users are encouraged to update to the latest patches available in versions 2.11.42, 3.6.11, and 3.7.0-ea.3 to mitigate this risk.

Affected Version(s)

traefik < 2.11.42 < 2.11.42

traefik >= 3.0.0-beta1, < 3.6.11 < 3.0.0-beta1, 3.6.11

traefik >= 3.7.0-ea.1, < 3.7.0-ea.3 < 3.7.0-ea.1, 3.7.0-ea.3

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v2.11.42
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.11
x_refsource_MISC

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.