FIND-20260410-013 · 2026-04-10 · Innovation Veille

CVE-2026-33433 — Traefik Auth Spoofing via Non-Canonical Header Field Configuration (CVSS 5.1, Medium)

cve MEDIUM
Traefik's BasicAuth and DigestAuth middlewares are vulnerable to identity spoofing when the headerField directive uses non-canonical casing (e.g. x-auth-user instead of X-Auth-User). An attacker with valid credentials can inject canonicalized headers to bypass authentication logic and spoof their identity to backend services. CVSS 4.0 score 5.1 (Medium). Patched in Traefik 2.11.42, 3.6.12, and 3.7.0-ea.3. ODS Traefik 3.6.13 is patched.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-33433

ODS Impact

API Gateway (Traefik 3.6.13) — If ODS middleware configurations use non-canonical header field names in auth middlewares, this could allow identity spoofing between services. ODS 3.6.13 is patched. Recommend auditing Traefik middleware configurations for headerField directives.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

traefik cve authentication header-injection security
Generated by ODS Innovation Veille · 2026-04-10T05:45:46+00:00