Identity Spoofing Vulnerability in Traefik From Containing Underscore-Variant Headers
CVE-2026-54763
7.8HIGH
What is CVE-2026-54763?
An identity spoofing vulnerability in Traefik allows attackers to manipulate authentication headers by injecting underscore-variant headers that can bypass the middleware's protective measures. This improper handling can lead to unauthorized access by spoofing user identities or authorization context. The issue is resolved in Traefik versions v2.11.51, v3.6.22, and v3.7.6, which properly filter and sanitize such headers.
Affected Version(s)
traefik < 2.11.51 < 2.11.51
traefik >= 3.0.0-beta1, < v3.6.22 < 3.0.0-beta1, v3.6.22
traefik >= 3.7.0-ea.1, < v3.7.6 < 3.7.0-ea.1, v3.7.6
