CVE-2026-29054
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to bypass Traefik's protection mechanisms and remove critical X-Forwarded headers that identify client information. Attackers can manipulate the Connection header using lowercase tokens to strip identity headers like X-Real-IP and X-Forwarded-Host. This affects Traefik reverse proxy deployments running vulnerable versions 2.11.9-2.11.37 or 3.1.3-3.6.8.
💻 Affected Systems
- Traefik
📦 What is this software?
Traefik by Traefik
Traefik by Traefik
⚠️ Risk & Real-World Impact
Worst Case
Attackers can completely obfuscate their identity, making requests appear to originate from the proxy itself, enabling IP spoofing, bypassing IP-based access controls, and hiding attack sources in logs.
Likely Case
Attackers can strip client identity headers, making forensic investigation difficult and potentially bypassing some IP-based security controls.
If Mitigated
With proper network segmentation and additional authentication layers, the impact is limited to loss of accurate client IP logging.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP/1.1 requests with lowercase Connection header tokens. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.38 or 3.6.9
Vendor Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52
Restart Required: Yes
Instructions:
1. Identify your Traefik version. 2. Upgrade to 2.11.38 if using Traefik 2.x. 3. Upgrade to 3.6.9 if using Traefik 3.x. 4. Restart Traefik service. 5. Verify the fix by checking version and testing with vulnerable requests.
🔧 Temporary Workarounds
HTTP/2 Enforcement
allForce all traffic to use HTTP/2 where possible, as this vulnerability only affects HTTP/1.1 requests.
Header Validation Middleware
allImplement custom middleware to validate and sanitize Connection headers before they reach Traefik's vulnerable processing.
🧯 If You Can't Patch
- Implement network-level IP filtering and rate limiting to reduce attack surface
- Deploy a WAF or additional reverse proxy layer that properly validates Connection headers
🔍 How to Verify
Check if Vulnerable:
Check if Traefik version falls within affected ranges: 2.11.9-2.11.37 or 3.1.3-3.6.8. Test by sending HTTP/1.1 request with 'Connection: x-real-ip' header and observing if X-Real-IP header is stripped.Check Version:
traefik versionVerify Fix Applied:
After patching, test with same vulnerable request. X-Real-IP header should persist. Check version is 2.11.38+ or 3.6.9+.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with lowercase Connection headers targeting X-Forwarded headers
- Missing X-Real-IP or other X-Forwarded headers in logs where they should appear
Network Indicators:
- HTTP/1.1 requests with Connection header containing lowercase X-Forwarded header names
SIEM Query:
http.request.headers.connection:"x-real-ip" OR http.request.headers.connection:"x-forwarded-*"