CVE-2026-29054

Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/traefik/traefik/releases/tag/v2.11.38	Product Release Notes
https://github.com/traefik/traefik/releases/tag/v3.6.9	Product Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:traefik:traefik::::::::
	cpe:2.3:a:traefik:traefik::::::::

History

17 Jun 2026, 10:29

Type	Values Removed	Values Added
Summary		(es) Traefik es un proxy inverso HTTP y un equilibrador de carga. Desde la versión 2.11.9 hasta la 2.11.37 y desde la versión 3.1.3 hasta la 3.6.8, existe una potencial vulnerabilidad en Traefik al gestionar el encabezado Connection con los encabezados X-Forwarded. Cuando Traefik procesa solicitudes HTTP/1.1, la protección implementada para evitar la eliminación de los encabezados X-Forwarded gestionados por Traefik (como X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) a través del encabezado Connection no maneja correctamente la distinción entre mayúsculas y minúsculas. Los tokens de Connection se comparan con distinción entre mayúsculas y minúsculas con los nombres de los encabezados protegidos, pero la eliminación real del encabezado opera sin distinción entre mayúsculas y minúsculas. Como resultado, un cliente remoto no autenticado puede usar tokens de Connection en minúsculas (p. ej., Connection: x-real-ip) para eludir la protección y activar la eliminación de los encabezados de identidad reenviados gestionados por Traefik. Este problema ha sido parcheado en las versiones 2.11.38 y 3.6.9.

06 Mar 2026, 15:26

Type	Values Removed	Values Added
CPE		cpe:2.3:a:traefik:traefik::::::::
First Time		Traefik Traefik traefik
References	~~() https://github.com/traefik/traefik/releases/tag/v2.11.38 -~~	() https://github.com/traefik/traefik/releases/tag/v2.11.38 - Product, Release Notes
References	~~() https://github.com/traefik/traefik/releases/tag/v3.6.9 -~~	() https://github.com/traefik/traefik/releases/tag/v3.6.9 - Product, Release Notes
References	~~() https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52 -~~	() https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52 - Patch, Vendor Advisory

05 Mar 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 19:16

Updated : 2026-06-17 10:29

NVD link : CVE-2026-29054

Mitre link : CVE-2026-29054

CVE.ORG link : CVE-2026-29054

JSON object : View

Products Affected

traefik

traefik

CWE

CWE-178

Improper Handling of Case Sensitivity

7.5 /10