CVE-2026-54764
Severity CVSS v4.0:
MEDIUM
Type:
CWE-345
Insufficient Verification of Data Authenticity
Publication date:
06/07/2026
Last modified:
08/07/2026
Description
Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's ForwardAuth middleware, even when configured with trustForwardHeader: false, derives the X-Forwarded-Port header sent to the authentication service from the original incoming request instead of the sanitized forwarded request. As a result, an unauthenticated remote attacker can inject an X-Forwarded-Proto: https header over a plain HTTP connection and cause Traefik to forward X-Forwarded-Port: 443 to the authentication service, bypassing port-based authorization checks. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
5.80
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* | 2.11.51 (excluding) | |
| cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* | 3.0.0 (including) | 3.6.22 (excluding) |
| cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* | 3.7.0 (including) | 3.7.6 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



