CVE-2026-26998 – Traefik reverse proxy versions before 2.11.38 a... (How to Fix)

Q: What is the severity of CVE-2026-26998?

CVE-2026-26998 has a CVSS score of 4.4 (MEDIUM). Traefik reverse proxy versions before 2.11.38 and 3.6.9 have a memory exhaustion vulnerability in the ForwardAuth middleware. When configured with ForwardAuth, Traefik reads authentication server responses without size limits, allowing attackers to crash the service via large responses. This affects all Traefik instances using ForwardAuth middleware.

📋 TL;DR

Traefik reverse proxy versions before 2.11.38 and 3.6.9 have a memory exhaustion vulnerability in the ForwardAuth middleware. When configured with ForwardAuth, Traefik reads authentication server responses without size limits, allowing attackers to crash the service via large responses. This affects all Traefik instances using ForwardAuth middleware.

💻 Affected Systems

Products:

Traefik

Versions: All versions before 2.11.38 and 3.6.9

Operating Systems: All platforms running Traefik

Default Config Vulnerable: ✅ No

Notes: Only affects systems with ForwardAuth middleware configured and enabled.

📦 What is this software?

Traefik by Traefik

View all CVEs affecting Traefik →

Traefik by Traefik

View all CVEs affecting Traefik →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for all routes served by Traefik instance due to out-of-memory crash, requiring manual restart.

🟠

Likely Case

Service disruption when authentication server returns unexpectedly large responses, either maliciously or due to misconfiguration.

🟢

If Mitigated

Minimal impact if authentication servers are trusted and properly configured to return reasonable response sizes.

🌐 Internet-Facing: MEDIUM - Requires ForwardAuth configuration and ability to influence authentication server responses.

🏢 Internal Only: MEDIUM - Same technical risk but potentially lower attack surface within internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to control or influence authentication server responses. No authentication bypass or code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.38 or 3.6.9

Vendor Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-fw45-f5q2-2p4x

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop Traefik service. 3. Update to Traefik 2.11.38+ or 3.6.9+. 4. Restart Traefik service. 5. Verify service is running and functional.

🔧 Temporary Workarounds

Limit authentication server response size

all

Configure authentication servers to limit response body sizes to reasonable values (e.g., under 10MB)

Disable ForwardAuth middleware

all

Temporarily disable ForwardAuth middleware if not essential for operations

# Edit Traefik configuration to remove or comment out ForwardAuth middleware sections

🧯 If You Can't Patch

Implement network controls to restrict access to authentication servers
Monitor authentication server response sizes and implement alerts for abnormal patterns

🔍 How to Verify

Check if Vulnerable:

Check Traefik version and ForwardAuth configuration: traefik version && grep -r 'ForwardAuth' /etc/traefik/

Check Version:

traefik version

Verify Fix Applied:

Confirm version is 2.11.38+ (v2) or 3.6.9+ (v3): traefik version

📡 Detection & Monitoring

Log Indicators:

Traefik process crashes with out-of-memory errors
High memory usage spikes in monitoring
Authentication server returning unusually large responses

Network Indicators:

Large HTTP responses from authentication servers to Traefik instances

SIEM Query:

source="traefik" AND ("out of memory" OR "OOM" OR "panic")

📊 Metadata

CVE ID: CVE-2026-26998

CVSS v3 Score: 4.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: March 5, 2026

Last Updated: March 6, 2026

🔗 References

https://github.com/traefik/traefik/releases/tag/v2.11.38 Product,Release Notes
https://github.com/traefik/traefik/releases/tag/v3.6.9 Product,Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-fw45-f5q2-2p4x Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26998, you might also want to check these: