Traefik — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/traefik/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 29 Mar 2026 15:37:47 +0000Traefik gRPC Deny Rule Bypass Vulnerability (CVE-2026-33186)https://feed.craftedsignal.io/briefs/2026-04-traefik-grpc-bypass/Sun, 29 Mar 2026 15:37:47 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-traefik-grpc-bypass/A remote, unauthenticated attacker can bypass Traefik deny rules by sending malformed gRPC requests with a missing leading slash in the `:path` pseudo-header, exploiting a vulnerability in the gRPC-Go dependency, leading to unauthorized access if a fallback "allow" rule is configured.Traefik, a popular reverse proxy and load balancer, is susceptible to a denial rule bypass (CVE-2026-33186) due to a flaw in its gRPC-Go dependency. This vulnerability affects Traefik versions prior to 2.11.42, versions 3.0.0-beta3 through 3.6.11, and versions 3.7.0-ea.1 through 3.7.0-ea.3. An unauthenticated attacker can exploit this by sending gRPC requests with a malformed HTTP/2 :path pseudo-header that omits the leading slash (e.g., Service/Method instead of /Service/Method). While…

]]>highadvisorytraefikgrpcauthorization-bypasscve-2026-33186Traefik ForwardAuth Authentication Bypass via X-Forwarded-Prefix Spoofinghttps://feed.craftedsignal.io/briefs/2024-07-traefik-auth-bypass/Wed, 03 Jul 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-07-traefik-auth-bypass/A high-severity authentication bypass vulnerability exists in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy; Traefik fails to sanitize the `X-Forwarded-Prefix` header, allowing attackers to spoof a trusted prefix value and gain unauthorized access to protected backend routes.A critical authentication bypass vulnerability impacts Traefik instances utilizing the ForwardAuth middleware with trustForwardHeader=false, when deployed behind a trusted upstream proxy. This vulnerability arises from Traefik’s failure to properly sanitize the X-Forwarded-Prefix header. Although Traefik correctly rebuilds other X-Forwarded-* headers like X-Forwarded-For and X-Forwarded-Host, it does not strip or rebuild X-Forwarded-Prefix. An attacker can inject a malicious X-Forwarded-Prefix value, which is then passed to the authentication service in the subrequest. If the authentication service relies on the X-Forwarded-Prefix header for authorization decisions, an attacker can bypass access controls and reach protected backend routes. This issue affects Traefik versions v2.11.x before v2.11.43, v3.6.x before v3.6.14, and v3.7.0-rc.1.

Attack Chain

  1. An attacker sends a request with a crafted X-Forwarded-Prefix header (e.g., X-Forwarded-Prefix: /admin) to a trusted upstream proxy (e.g., nginx).
  2. The trusted proxy forwards the request to the Traefik instance.
  3. Traefik’s StripPrefix middleware processes the request, stripping a configured prefix (e.g., /forbidden) and appending it to the X-Forwarded-Prefix header using Header.Add.
  4. The ForwardAuth middleware creates a subrequest to the authentication service, copying all incoming headers, including the attacker-controlled X-Forwarded-Prefix and the StripPrefix-added value.
  5. The authentication service receives the subrequest with the concatenated X-Forwarded-Prefix values, where the attacker’s value appears first (e.g., X-Forwarded-Prefix: /admin, /forbidden).
  6. The authentication service incorrectly uses the attacker-supplied /admin prefix to make authorization decisions.
  7. The authentication service authorizes the request due to the spoofed prefix.
  8. Traefik forwards the request to the protected backend route, granting the attacker unauthorized access.

Impact

Successful exploitation allows unauthenticated attackers to bypass access controls and gain unauthorized access to protected backend routes. This can lead to data breaches, unauthorized modification of resources, and other security compromises. The impact is especially severe in environments where StripPrefix is used before ForwardAuth, and where the authentication service relies heavily on the X-Forwarded-Prefix header for authorization decisions. The number of affected deployments is unknown but likely significant, given Traefik’s popularity as a reverse proxy and load balancer.

Recommendation

  • Upgrade to Traefik version v2.11.43, v3.6.14, or v3.7.0-rc.2 or later to patch the vulnerability.
  • As a workaround, if upgrading is not immediately feasible, configure your authentication service to validate and sanitize the X-Forwarded-Prefix header, ensuring it only trusts values originating from the trusted proxy.
  • Implement the following Sigma rule to detect suspicious requests with the X-Forwarded-Prefix header targeting the /forbidden path, indicating potential exploitation attempts.
  • Review and harden your Traefik configuration to ensure that the trustForwardHeader parameter is appropriately set based on your deployment environment and trust relationships.
  • Monitor Traefik access logs for suspicious activity, especially requests with unusual X-Forwarded-Prefix values, using the webserver log source.
]]>highadvisorytraefikauthentication-bypasswebserver