Upstream information

CVE-2026-54763 at MITRE

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which many backends normalize identically to dashed forms. An attacker able to reach a protected route can inject an underscore-variant header that survives Traefik's stripping and reaches the backend alongside, or on the unauthenticated ForwardAuth authResponseHeaders path instead of, the value Traefik intended to set, spoofing identity or authorization context. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail National Vulnerability Database SUSE
Base Score 10 7.5
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required None None
User Interaction None None
Scope Changed Unchanged
Confidentiality Impact High High
Integrity Impact High None
Availability Impact None None
CVSSv3 Version 3.1 3.1
CVSS v4 Scores
CVSS detail CNA (GitHub) SUSE
Base Score 7.8 7.8
Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Attack Vector Network Network
Attack Complexity Low Low
Attack Requirements None None
Privileges Required None None
User Interaction None None
Vulnerable System Confidentiality Impact None None
Vulnerable System Integrity Impact None None
Vulnerable System Availability Impact None None
Subsequent System Confidentiality Impact High High
Subsequent System Integrity Impact High High
Subsequent System Availability Impact None None
CVSSv4 Version 4.0 4.0
SUSE Bugzilla entry: 1270430 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • traefik >= 3.7.7-1.1
  • traefik2 >= 2.11.52-1.1
Patchnames:
openSUSE-Tumbleweed-2026-11243
openSUSE-Tumbleweed-2026-11251


SUSE Timeline for this CVE

CVE page created: Tue Jul 7 00:04:06 2026
CVE page last modified: Sat Jul 11 12:32:29 2026