{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/traefik/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["traefik","grpc","authorization-bypass","cve-2026-33186"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTraefik, a popular reverse proxy and load balancer, is susceptible to a denial rule bypass (CVE-2026-33186) due to a flaw in its gRPC-Go dependency. This vulnerability affects Traefik versions prior to 2.11.42, versions 3.0.0-beta3 through 3.6.11, and versions 3.7.0-ea.1 through 3.7.0-ea.3. An unauthenticated attacker can exploit this by sending gRPC requests with a malformed HTTP/2 \u003ccode\u003e:path\u003c/code\u003e pseudo-header that omits the leading slash (e.g., \u003ccode\u003eService/Method\u003c/code\u003e instead of \u003ccode\u003e/Service/Method\u003c/code\u003e). While…\u003c/p\u003e\n","date_modified":"2026-03-29T15:37:47Z","date_published":"2026-03-29T15:37:47Z","id":"/briefs/2026-04-traefik-grpc-bypass/","summary":"A remote, unauthenticated attacker can bypass Traefik deny rules by sending malformed gRPC requests with a missing leading slash in the `:path` pseudo-header, exploiting a vulnerability in the gRPC-Go dependency, leading to unauthorized access if a fallback \"allow\" rule is configured.","title":"Traefik gRPC Deny Rule Bypass Vulnerability (CVE-2026-33186)","url":"https://feed.craftedsignal.io/briefs/2026-04-traefik-grpc-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Traefik"],"_cs_severities":["high"],"_cs_tags":["traefik","authentication-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":["Traefik"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability impacts Traefik instances utilizing the \u003ccode\u003eForwardAuth\u003c/code\u003e middleware with \u003ccode\u003etrustForwardHeader=false\u003c/code\u003e, when deployed behind a trusted upstream proxy. This vulnerability arises from Traefik\u0026rsquo;s failure to properly sanitize the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header. Although Traefik correctly rebuilds other \u003ccode\u003eX-Forwarded-*\u003c/code\u003e headers like \u003ccode\u003eX-Forwarded-For\u003c/code\u003e and \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e, it does not strip or rebuild \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e. An attacker can inject a malicious \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e value, which is then passed to the authentication service in the subrequest. If the authentication service relies on the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header for authorization decisions, an attacker can bypass access controls and reach protected backend routes. This issue affects Traefik versions v2.11.x before v2.11.43, v3.6.x before v3.6.14, and v3.7.0-rc.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a request with a crafted \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header (e.g., \u003ccode\u003eX-Forwarded-Prefix: /admin\u003c/code\u003e) to a trusted upstream proxy (e.g., nginx).\u003c/li\u003e\n\u003cli\u003eThe trusted proxy forwards the request to the Traefik instance.\u003c/li\u003e\n\u003cli\u003eTraefik\u0026rsquo;s \u003ccode\u003eStripPrefix\u003c/code\u003e middleware processes the request, stripping a configured prefix (e.g., \u003ccode\u003e/forbidden\u003c/code\u003e) and appending it to the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header using \u003ccode\u003eHeader.Add\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eForwardAuth\u003c/code\u003e middleware creates a subrequest to the authentication service, copying all incoming headers, including the attacker-controlled \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e and the \u003ccode\u003eStripPrefix\u003c/code\u003e-added value.\u003c/li\u003e\n\u003cli\u003eThe authentication service receives the subrequest with the concatenated \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e values, where the attacker\u0026rsquo;s value appears first (e.g., \u003ccode\u003eX-Forwarded-Prefix: /admin, /forbidden\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe authentication service incorrectly uses the attacker-supplied \u003ccode\u003e/admin\u003c/code\u003e prefix to make authorization decisions.\u003c/li\u003e\n\u003cli\u003eThe authentication service authorizes the request due to the spoofed prefix.\u003c/li\u003e\n\u003cli\u003eTraefik forwards the request to the protected backend route, granting the attacker unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated attackers to bypass access controls and gain unauthorized access to protected backend routes. This can lead to data breaches, unauthorized modification of resources, and other security compromises. The impact is especially severe in environments where \u003ccode\u003eStripPrefix\u003c/code\u003e is used before \u003ccode\u003eForwardAuth\u003c/code\u003e, and where the authentication service relies heavily on the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header for authorization decisions. The number of affected deployments is unknown but likely significant, given Traefik\u0026rsquo;s popularity as a reverse proxy and load balancer.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Traefik version v2.11.43, v3.6.14, or v3.7.0-rc.2 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a workaround, if upgrading is not immediately feasible, configure your authentication service to validate and sanitize the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header, ensuring it only trusts values originating from the trusted proxy.\u003c/li\u003e\n\u003cli\u003eImplement the following Sigma rule to detect suspicious requests with the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header targeting the \u003ccode\u003e/forbidden\u003c/code\u003e path, indicating potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden your Traefik configuration to ensure that the \u003ccode\u003etrustForwardHeader\u003c/code\u003e parameter is appropriately set based on your deployment environment and trust relationships.\u003c/li\u003e\n\u003cli\u003eMonitor Traefik access logs for suspicious activity, especially requests with unusual \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e values, using the \u003ccode\u003ewebserver\u003c/code\u003e log source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-traefik-auth-bypass/","summary":"A high-severity authentication bypass vulnerability exists in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy; Traefik fails to sanitize the `X-Forwarded-Prefix` header, allowing attackers to spoof a trusted prefix value and gain unauthorized access to protected backend routes.","title":"Traefik ForwardAuth Authentication Bypass via X-Forwarded-Prefix Spoofing","url":"https://feed.craftedsignal.io/briefs/2024-07-traefik-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Traefik","version":"https://jsonfeed.org/version/1.1"}