FIND-20260401-014 · 2026-04-01 · Innovation Veille

CVE-2026-33433 — Traefik MEDIUM AuthN spoofing via non-canonical headerField (PATCH to v3.6.12)

cve MEDIUM
CVE-2026-33433 (CVSS 5.1, MEDIUM): When Traefik BasicAuth/DigestAuth middleware is configured with a non-canonical headerField (e.g., x-auth-user instead of X-Auth-User), an authenticated attacker can inject the canonical version of that header to impersonate any identity to the backend. Requires: non-canonical headerField config + valid (non-privileged) credentials. Patched in Traefik 3.6.12, 2.11.42, 3.7.0-ea.3 (same release as CVE-2026-33186, 2026-03-26).

Source

https://cvereports.com/reports/CVE-2026-33433

ODS Impact

Same patch as FIND-20260401-002 (CVE-2026-33186) — upgrading Traefik to 3.6.12 fixes both CVEs. Additionally audit ODS Traefik middleware configs to ensure all headerField values are canonically cased (e.g., X-Tenant-Id not x-tenant-id).

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

traefik cve medium authentication header-injection api-gateway security
Generated by ODS Innovation Veille · 2026-04-01T01:57:39+00:00