Authentication Bypass in Traefik's Load Balancer and Reverse Proxy
CVE-2026-35051

7.8HIGH

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
30 April 2026

What is CVE-2026-35051?

Traefik, a widely-used HTTP reverse proxy and load balancer, contains a vulnerability in its ForwardAuth middleware which could allow an attacker to bypass authentication when configured with trustForwardHeader=false. This risk arises specifically when Traefik operates behind a trusted upstream proxy. Users are strongly urged to update their installations to the latest versions, 2.11.43, 3.6.14, and 3.7.0-rc.2, to secure their deployment. For detailed information, visit the Traefik security advisory and the respective versions' release notes.

Affected Version(s)

traefik < 2.11.43 < 2.11.43

traefik >= 3.0.0-beta1, < 3.6.14 < 3.0.0-beta1, 3.6.14

traefik >= 3.7.0-ea.1, < 3.7.0-rc.2 < 3.7.0-ea.1, 3.7.0-rc.2

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v2.11.43
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.14
x_refsource_MISC

CVSS V4

Score:
7.8
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.