{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29054", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.244Z", "datePublished": "2026-03-05T16:18:49.230Z", "dateUpdated": "2026-03-06T16:11:57.698Z"}, "containers": {"cna": {"title": "Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)", "problemTypes": [{"descriptions": [{"cweId": "CWE-178", "lang": "en", "description": "CWE-178: Improper Handling of Case Sensitivity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.38", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.38"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.9"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": ">= 2.11.9, < 2.11.38", "status": "affected"}, {"version": ">= 3.1.3, < 3.6.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T16:18:49.230Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9."}], "source": {"advisory": "GHSA-92mv-8f8w-wq52", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T16:00:33.916346Z", "id": "CVE-2026-29054", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:11:57.698Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29054", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T16:00:33.916346Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:00:34.965Z"}}], "cna": {"title": "Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)", "source": {"advisory": "GHSA-92mv-8f8w-wq52", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": ">= 2.11.9, < 2.11.38"}, {"status": "affected", "version": ">= 3.1.3, < 3.6.9"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.11.38", "name": "https://github.com/traefik/traefik/releases/tag/v2.11.38", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.9", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-178", "description": "CWE-178: Improper Handling of Case Sensitivity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T16:18:49.230Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29054", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:11:57.698Z", "dateReserved": "2026-03-03T17:50:11.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T16:18:49.230Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBEECE25-1AC0-4A93-8CA9-3C1AEBF85E86", "versionEndExcluding": "2.11.38", "versionStartIncluding": "2.11.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "07558342-0979-427E-A153-610F1B378CD6", "versionEndExcluding": "3.6.9", "versionStartIncluding": "3.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9."}], "id": "CVE-2026-29054", "lastModified": "2026-03-06T15:26:20.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T19:16:15.277", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.38"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.9"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-178"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/traefik/traefik: Traefik: Information disclosure due to case-insensitive Connection header processing", "id": "2444872", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444872"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-178", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-29054", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-03-05T16:18:49Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29054\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29054\nhttps://github.com/traefik/traefik/releases/tag/v2.11.38\nhttps://github.com/traefik/traefik/releases/tag/v3.6.9\nhttps://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.11.9,2.11.38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.1.3,3.6.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "traefik", "source": "cna", "vendor": "traefik"}, "product": "traefik", "vendor": "traefik"}], "analysis": {"en": {"generated_at": "2026-04-16T12:18:41.770944+00:00", "value": {"mitigation_remediation": ["Upgrade to Traefik\u202f2.11.38 or newer, or to 3.6.9 or newer, which contain the fix for the case\u2011sensitivity bug.", "If an immediate upgrade is not possible, block or strip lowercase Connection header tokens (e.g., x-real-ip) with a front\u2011end firewall or reverse proxy before they reach Traefik.", "Enable logging of header manipulations and regularly review logs for anomalous attempts to delete X\u2011Forwarded headers."], "summary": {"action": "Immediate Patch", "impact": "Removal of critical X-Forwarded headers by a remote client"}, "threat_synthesis": {"affected_systems": "The flaw affects Traefik version 2.11.9 through 2.11.37 and 3.1.3 through 3.6.8. Clients that use HTTP/1.1 to communicate with any of these releases may trigger the header deletion logic.", "description_and_impact": "Traefik is a popular HTTP reverse proxy that inserts client\u2011identity headers such as X-Real-Ip, X-Forwarded-Host, and X-Forwarded-Port for use by backend services. This vulnerability arises from a case\u2011sensitivity bug in the handling of the Connection header: the comparison that protects against removal of these headers is case\u2011sensitive, yet the actual deletion operation treats the header case\u2011insensitively. As a result, an unauthenticated HTTP/1.1 client can send a Connection header with a lowercase token (for example, Connection: x-real-ip) and cause Traefik to strip the corresponding forwarded identity header. The loss of these headers can undermine authentication, rate\u2011limiting, logging, and profiling mechanisms on downstream services, potentially enabling spoofing of client identity or denial of service conditions that rely on accurate header data.", "risk_and_exploitability": "The CVSS v3.1 score is 7.5, indicating a high severity. The EPSS score is below 1%, implying exploitation is not widely observed. The vulnerability is not currently listed in the CISA KEV catalog. A remote attacker can exploit the flaw via a simple HTTP request; no authentication or privileged access is required, and the attack vector is network\u2011based, sending a crafted Connection header."}}}}, "created": "2026-03-06T15:01:38.564119+00:00", "updated": "2026-04-16T12:30:06.111015+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"], "weaknesses": ["CWE-178"]}