{"id":"CVE-2026-35051","summary":"Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth","details":"Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.","aliases":["GHSA-6384-m2mw-rf54"],"modified":"2026-05-18T06:00:04.112230828Z","published":"2026-04-30T20:26:06.716Z","related":["openSUSE-SU-2026:10697-1","openSUSE-SU-2026:10698-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35051.json","cwe_ids":["CWE-345"]},"references":[{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v2.11.43"},{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v3.6.14"},{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35051.json"},{"type":"ADVISORY","url":"https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35051"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/traefik/traefik","events":[{"introduced":"67c64ed9b25fbb90f1086977a62827133a7aa01b"},{"fixed":"a47e15f1299d23fec1bcbb78bece4325a40d63f2"}]}],"versions":["v3.7.0-rc.1","v3.7.0-ea.3","v3.7.0-ea.1","v3.7.0-ea.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35051.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"}]}