Information Disclosure Vulnerability in Traefik HTTP Reverse Proxy and Load Balancer
CVE-2026-41181

6.9MEDIUM

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
15 May 2026

What is CVE-2026-41181?

Traefik, a popular HTTP reverse proxy and load balancer, has a significant information disclosure issue in its errors middleware. Before versions 2.11.44, 3.6.15, and 3.7.0-rc.3, the middleware forwards the complete header set of the original request to the separate error page service when an error response is generated. This includes sensitive credentials such as Authorization and Cookie headers, which could lead to unintentional exposure of user information. The documentation does not sufficiently warn operators about this behavior, potentially compromising user security. To mitigate this vulnerability, users are advised to update to the fixed versions as outlined.

Affected Version(s)

traefik >= 3.7.0-rc.0, < 3.7.0-rc.3 < 3.7.0-rc.0, 3.7.0-rc.3

traefik >= 3.0.0-beta1, < 3.6.14 < 3.0.0-beta1, 3.6.14

traefik < 2.11.43 < 2.11.43

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v2.11.44
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.15
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.