# Traefik ForwardAuth Trusts Forged X-Forwarded-Prefix to Bypass Authentication ## Vulnerability Overview The `ForwardAuth` middleware in Traefik has a high-severity authentication bypass vulnerability when configured with `trustForwardHeader=false` and deployed behind a trusted upstream proxy. When `trustForwardHeader=false`, Traefik does not reconstruct or strip `X-Forwarded-*` headers (such as `X-Forwarded-For`, `X-Forwarded-Host`, `X-Forwarded-Proto`) from trusted contexts. This allows attacker-supplied `X-Forwarded-Prefix` values to remain intact in subsequent requests. Since Traefik relies on `X-Forwarded-Prefix` for authorization decisions, external attackers can forge trusted prefix values, thereby bypassing authentication and accessing protected backend routes. ## Affected Versions - **Affected Versions**: - `<= v2.11.42` - `<= v3.6.13` - `<= v3.7.0-rc1` ## Remediation Please upgrade to the following patched versions: - `v2.11.43` - `v3.6.14` - `v3.7.0-rc2` ## References - [GitHub Release v2.11.43](https://github.com/traefik/traefik/releases/tag/v2.11.43) - [GitHub Release v3.6.14](https://github.com/traefik/traefik/releases/tag/v3.6.14) - [GitHub Release v3.7.0-rc2](https://github.com/traefik/traefik/releases/tag/v3.7.0-rc2) ## Additional Information - **CVE ID**: CVE-2026-3551 - **CVSS Score**: 7.8 / 10 - **Weakness**: CWE-345