{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33433", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T18:45:22.436Z", "datePublished": "2026-03-27T13:49:08.455Z", "dateUpdated": "2026-03-30T12:00:41.940Z"}, "containers": {"cna": {"title": "Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.42", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.42"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 2.11.42", "status": "affected"}, {"version": ">= 3.0.0-beta1, < 3.6.11", "status": "affected"}, {"version": ">= 3.7.0-ea.1, < 3.7.0-ea.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T13:49:08.455Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries \u2014 the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue."}], "source": {"advisory": "GHSA-qr99-7898-vr7c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T12:00:28.784939Z", "id": "CVE-2026-33433", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T12:00:41.940Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33433", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T12:00:28.784939Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T12:00:37.578Z"}}], "cna": {"title": "Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField", "source": {"advisory": "GHSA-qr99-7898-vr7c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 2.11.42"}, {"status": "affected", "version": ">= 3.0.0-beta1, < 3.6.11"}, {"status": "affected", "version": ">= 3.7.0-ea.1, < 3.7.0-ea.3"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.11.42", "name": "https://github.com/traefik/traefik/releases/tag/v2.11.42", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3", "name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries \u2014 the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T13:49:08.455Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33433", "state": "PUBLISHED", "dateUpdated": "2026-03-30T12:00:41.940Z", "dateReserved": "2026-03-19T18:45:22.436Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T13:49:08.455Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "EDF93D3C-490C-4EC6-A934-8B877C389491", "versionEndExcluding": "2.11.42", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CDD2F75-D51B-4443-B0B6-4ED956ADE494", "versionEndExcluding": "3.6.12", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*", "matchCriteriaId": "7881B288-5141-4508-AB71-3F7586168437", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:3.7.0:ea2:*:*:*:*:*:*", "matchCriteriaId": "AE5788A2-CCF9-4E87-8B94-133874F99CAE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries \u2014 the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue."}], "id": "CVE-2026-33433", "lastModified": "2026-04-03T17:09:06.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T15:16:54.980", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.42"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/traefik/traefik: Traefik: Authentication bypass via non-canonical HTTP header injection", "id": "2452289", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452289"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-290", "details": ["A flaw was found in Traefik, an HTTP reverse proxy and load balancer. When the `headerField` is configured with a non-canonical HTTP header name, an authenticated attacker can inject a canonical version of that header. This allows the attacker to impersonate any identity to the backend, leading to an authentication bypass. The backend prioritizes the attacker-injected header, overriding Traefik's intended header."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33433", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-03-27T13:49:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33433\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33433\nhttps://github.com/traefik/traefik/releases/tag/v2.11.42\nhttps://github.com/traefik/traefik/releases/tag/v3.6.11\nhttps://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3\nhttps://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.42)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0-beta1,3.6.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.7.0-ea.1,3.7.0-ea.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "traefik", "source": "cna", "vendor": "traefik"}, "product": "traefik", "vendor": "traefik"}], "analysis": {"en": {"generated_at": "2026-04-03T20:26:07.700944+00:00", "value": {"mitigation_remediation": ["Upgrade Traefik to version 2.11.42 or later, 3.6.11 or later, or 3.7.0\u2011ea.3 or later."], "summary": {"action": "Patch Immediately", "impact": "Authentication Bypass via Header Spoofing"}, "threat_synthesis": {"affected_systems": "Traefik reverse\u2011proxy and load\u2011balancer versions prior to 2.11.42, 3.6.11, and 3.7.0\u2011ea.3 are affected. The vulnerability is present in all editions of the Traefik product managed through the vendor \"traefik:traefik\".", "description_and_impact": "Traefik allows an authenticated attacker to configure a non-canonical HTTP header name in the headerField setting (for example, \"x-auth-user\" instead of \"X-Auth-User\"). When this is done, the attacker can inject the canonical form of that header. The backend server receives two header entries; the attacker\u2011supplied canonical header is processed first and overrides the non\u2011canonical value, effectively allowing the attacker to impersonate any identity to the backend. This results in a denial of access control and could enable data exfiltration or unauthorized actions under the victim\u2019s identity.", "risk_and_exploitability": "The CVSS score for this vulnerability is 5.1, indicating moderate severity, while the EPSS score is below 1\u202f% and it is not listed in the CISA KEV catalog. The likely attack vector is a remote authenticated user who can modify Traefik\u2019s headerField configuration. By injecting the canonical header, the attacker can successfully bypass authentication controls on the backend, effectively gaining impersonation privileges. Given the moderate CVSS but low exploitation probability, the risk is significant for exposed services that rely on Traefik for identity propagation."}}}}, "created": "2026-03-27T20:28:50.486123+00:00", "updated": "2026-04-03T21:18:00.180248+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"]}