FIND-20260404-025 · 2026-04-04 · Innovation Veille

CVE-2026-33433: Traefik BasicAuth/DigestAuth Identity Spoofing via Non-Canonical Header — Patched v3.6.12

cve MEDIUM
An authenticated attacker with valid credentials can spoof any identity to the backend by exploiting header canonicalization inconsistency in Traefik's BasicAuth and DigestAuth middlewares when headerField is configured with a non-canonical name. CVSS 3.1 score. Affected: all Traefik 3.x before v3.6.12. Fix: v3.6.12 (already deployed in ODS per last-versions.json). Mitigation also available: use canonical header casing (X-Auth-User instead of x-auth-user) in all BasicAuth/DigestAuth middleware definitions.

Source

https://advisories.gitlab.com/pkg/golang/github.com/traefik/traefik/v3/CVE-2026-33433/

ODS Impact

Traefik is ODS's API Gateway routing traffic to all microservices. ODS is already on v3.6.12 which patches this CVE. If ODS uses BasicAuth or DigestAuth middleware with headerField set to non-canonical names, audit those configs. Most ODS services use JWT (Bearer) auth via OID — low exposure. Verify: grep -r 'headerField' in Traefik config.

Security Review

License: N/A (Traefik vulnerability) | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

traefik cve auth header-injection api-gateway already-patched
Generated by ODS Innovation Veille · 2026-04-04T19:52:56+00:00