CVE-2026-39858 - Traefik forwarded alias auth bypass

Traefik contains a high-severity authentication bypass in ForwardAuth and snippet-based authentication middleware. Affected releases sanitize canonical forwarded headers such as X-Forwarded-Proto, but do not consistently strip or normalize alias spellings that use underscores, such as X_Forwarded_Proto.

If the authentication backend treats underscore and dash header names as equivalent, an unauthenticated attacker can send spoofed trust context to the auth service. Protected routes may then be authorized as if the request came through a trusted scheme, host, prefix, or proxy path.

Affected versions

Vulnerable: github.com/traefik/traefik <=1.7.34
Fixed: no fixed v1 release listed; migrate to a fixed v2/v3 release or isolate with compensating controls.
Vulnerable: github.com/traefik/traefik/v2 <2.11.43
Fixed: github.com/traefik/traefik/v2 2.11.43+
Vulnerable: github.com/traefik/traefik/v3 >=3.0.0-beta1, <3.6.14
Fixed: github.com/traefik/traefik/v3 3.6.14+
Vulnerable: github.com/traefik/traefik/v3 >=3.7.0-ea.1, <3.7.0-rc.2
Fixed: github.com/traefik/traefik/v3 3.7.0-rc.2+

Indicator-of-exposure

The repository builds, vendors, embeds, or deploys Traefik in an affected version through Go modules, container images, Helm charts, compose files, Kubernetes manifests, Terraform, Ansible, or platform runbooks.
Traefik protects routes with ForwardAuth or ingress-nginx snippet-style authentication middleware.
The authentication service uses forwarded request metadata such as scheme, host, original URI, client IP, prefix, or trusted proxy headers in its authorization decision.
The auth service, framework, proxy, or gateway normalizes underscore and dash header forms equivalently.
Public or tenant-controlled traffic can reach the protected Traefik entrypoint.

Quick checks:

rg -n "traefik|ForwardAuth|forwardAuth|authRequestHeaders|X-Forwarded|X_Forwarded|snippet" .
rg -n "traefik:v|traefik/traefik|github.com/traefik/traefik" go.mod go.sum Dockerfile* docker-compose*.yml charts deploy k8s terraform ansible .github
go list -m all | rg 'github.com/traefik/traefik'
helm template . 2>/dev/null | rg -n "traefik|forwardAuth|X-Forwarded|X_Forwarded"

Remediation strategy

Upgrade all Traefik v2 deployments to 2.11.43+.
Upgrade all Traefik v3 3.0.0-beta1 through 3.6.x deployments to 3.6.14+.
Upgrade all Traefik v3 3.7.0-ea.* deployments to 3.7.0-rc.2+, or move to the repository’s approved stable v3 release line if available.
Do not leave Traefik v1 as-is. GitHub lists no patched v1 release for this advisory, so migrate to a fixed v2/v3 release or document an operator-owned isolation plan.
Pin container image tags by digest where the repository controls deployment artifacts.
Add a strict authRequestHeaders allow-list for ForwardAuth where compatible, and do not forward client-controlled X_Forwarded_* aliases to auth services.
Add edge or ingress policy that denies or strips underscore-form aliases of forwarded headers while the upgrade rolls out.
Add non-production regression checks that spoof X_Forwarded_Proto, X_Forwarded_Host, and related aliases and verify protected routes remain denied.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-39858 (Traefik ForwardAuth forwarded-header alias
spoofing authentication bypass). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades or migrates affected Traefik
  deployments and adds practical verification, or
- TRIAGE.md if this repository does not own Traefik deployment artifacts or
  cannot make a safe patch.

## Rules

- Scope only CVE-2026-39858.
- Do not make unrelated proxy, router, identity provider, or application auth
  changes.
- Do not test exploit requests against production or external systems.
- Do not log cookies, bearer tokens, auth service responses, private headers,
  client IP lists, or user identity claims.
- Do not auto-merge.

## Steps

1. Inventory every Traefik reference in this repository:
   - Go modules and vendor trees;
   - container image tags and digests;
   - Helm charts, values, lock files, Kustomize overlays, Kubernetes manifests,
     Docker Compose files, Terraform, Ansible, CI, and runbooks;
   - generated deployment manifests, SBOMs, and image metadata.
2. Determine whether any deployable target resolves to a vulnerable version:
   - `github.com/traefik/traefik <=1.7.34`;
   - `github.com/traefik/traefik/v2 <2.11.43`;
   - `github.com/traefik/traefik/v3 >=3.0.0-beta1, <3.6.14`;
   - `github.com/traefik/traefik/v3 >=3.7.0-ea.1, <3.7.0-rc.2`.
3. Check whether the target uses `ForwardAuth` or snippet-based authentication
   middleware and whether auth services rely on forwarded headers such as
   scheme, host, URI, prefix, or client IP.
4. Patch every vulnerable target:
   - Traefik v2: upgrade to `2.11.43+`;
   - Traefik v3 stable/beta line: upgrade to `3.6.14+`;
   - Traefik v3 early-access/RC line: upgrade to `3.7.0-rc.2+` or the
     repository's approved fixed stable line;
   - Traefik v1: migrate to a fixed v2/v3 release or stop with TRIAGE.md
     documenting why no patched v1 release can be consumed.
5. Regenerate dependency locks, Helm locks, rendered manifests, image metadata,
   SBOMs, and digest pins according to the repository's normal workflow.
6. Add or tighten safe containment where this repo controls it:
   - set `authRequestHeaders` to an explicit allow-list when compatible;
   - deny or strip underscore-form forwarded aliases such as
     `X_Forwarded_Proto`, `X_Forwarded_Host`, `X_Forwarded_For`,
     `X_Forwarded_Port`, `X_Forwarded_Prefix`, and `X_Forwarded_Uri` at the
     outer edge;
   - document that auth backends must not trust client-supplied forwarded
     metadata.
7. Add non-production verification that a protected route stays denied when a
   request includes underscore-form forwarded aliases. Use synthetic headers
   only, avoid real credentials, and keep the check in tests, local compose
   smoke tests, or operator runbooks.
8. Add a PR body section named `CVE-2026-39858 exposure and rollout` that
   states:
   - each Traefik target and resolved version before and after the change;
   - whether `ForwardAuth` or snippet-based auth is configured;
   - whether strict `authRequestHeaders` or edge header-deny policy was added;
   - which non-production spoofed-header check was run;
   - any required operator rollout or config reload actions.
9. Run the relevant validation: Go tests if Traefik is embedded, dependency
   resolution, Helm/template rendering, compose config validation, Kubernetes
   schema validation, image build, and security/dependency scans available in
   this repository.
10. Use PR title:
    `fix(sec): remediate CVE-2026-39858 in Traefik`

## Stop conditions

- The repository does not own Traefik dependencies, images, or deployment
  manifests.
- Traefik v1 is deployed and cannot be migrated within this change.
- The target requires a broader proxy or identity-provider migration before a
  fixed Traefik release can be consumed.
- Verification requires attacking production or exposing real credentials.
- Validation fails for unrelated pre-existing reasons; document the failure
  instead of broadening scope.

Verification - what the reviewer looks for

No deployable target remains on Traefik v2 <2.11.43, v3 <3.6.14, affected 3.7.0-ea.* builds, or unsupported vulnerable v1.
The change updates the real delivery path: image tags/digests, Helm values, compose files, Kubernetes manifests, Go modules, generated manifests, and SBOMs where applicable.
ForwardAuth or snippet-based auth exposure is explicitly recorded in the PR body.
Regression or smoke-test evidence shows spoofed X_Forwarded_* headers do not authorize protected routes in non-production.
Builds, dependency resolution, manifest rendering, and security scans pass or unrelated failures are documented.

Watch for

Upgrading only to 2.11.42, 3.6.12, or 3.7.0-ea.3; those fixed earlier Traefik auth issues but not this advisory.
Floating image tags such as traefik:v3 that make the patch non-reproducible.
Auth services that normalize underscores to dashes even after Traefik is patched.
Middleware chains that also need the same release for nearby Traefik auth bypass advisories, especially CVE-2026-35051 and CVE-2026-40912.

References

GitHub Advisory: https://github.com/advisories/GHSA-5m6w-wvh7-57vm
Traefik security announcement: https://community.traefik.io/t/new-security-update-for-traefik-2-11-2-11-43-3-6-3-6-14-and-3-7-3-7-0-rc-2/29834
Traefik v2.11.43 release: https://github.com/traefik/traefik/releases/tag/v2.11.43
Traefik v3.6.14 release: https://github.com/traefik/traefik/releases/tag/v3.6.14
Traefik v3.7.0-rc.2 release: https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2