Identity Spoofing Vulnerability in Traefik From Containing Underscore-Variant Headers
CVE-2026-54763

7.8HIGH

Key Information:

Vendor

Traefik

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-54763?

An identity spoofing vulnerability in Traefik allows attackers to manipulate authentication headers by injecting underscore-variant headers that can bypass the middleware's protective measures. This improper handling can lead to unauthorized access by spoofing user identities or authorization context. The issue is resolved in Traefik versions v2.11.51, v3.6.22, and v3.7.6, which properly filter and sanitize such headers.

Affected Version(s)

traefik < 2.11.51 < 2.11.51

traefik >= 3.0.0-beta1, < v3.6.22 < 3.0.0-beta1, v3.6.22

traefik >= 3.7.0-ea.1, < v3.7.6 < 3.7.0-ea.1, v3.7.6

References

CVSS V4

Score:
7.8
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.