GHSA-QR99-7898-VR7C

Vulnerability from github – Published: 2026-03-27 20:35 – Updated: 2026-03-27 20:35
VLAI?
Summary
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField
Details

Summary

There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when headerField is configured with a non-canonical HTTP header name.

An authenticated attacker with valid credentials can inject the canonical version of the configured header to impersonate any identity to the backend. Because Traefik writes the authenticated username using a non-canonical map key, it creates a separate header entry rather than overwriting the attacker's canonical one — causing most backend frameworks to read the attacker-controlled value instead.

Patches

For more information

If there are any questions or comments about this advisory, please open an issue.

Original Description ### Summary When `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject a canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Tested on Traefik v3.6.10. ### Details At `pkg/middlewares/auth/basic_auth.go:92`, the authenticated username is written using direct map assignment: 
req.Header[b.headerField] = []string{user}
Go's `http.Header` map is keyed by canonical names (e.g., `X-Auth-User`). Direct assignment with a non-canonical key (`x-auth-user`) creates a separate map entry from any canonical-key entry already present. The attacker's `X-Auth-User: superadmin` occupies the canonical slot and is never overwritten by Traefik's non-canonical write. The same bug exists in `pkg/middlewares/auth/digest_auth.go:100`. Notably, `forward.go:254` correctly uses `http.CanonicalHeaderKey()`, showing the fix pattern already exists in the codebase. ### PoC **Traefik config (YAML, Docker labels, or REST API):** 
middlewares:
  auth:
    basicAuth:
      users: ["admin:$2y$05$..."]
      headerField: "x-auth-user"
**Normal request (baseline):** 
curl -u admin:admin http://traefik/secure/test
# Backend receives: x-auth-user: admin
# Identity = admin ✓
**Attack request:** 
curl -u admin:admin -H "X-Auth-User: superadmin" http://traefik/secure/test
# Backend receives BOTH headers:
#   X-Auth-User: superadmin   ← attacker-injected (canonical key, read first by most frameworks)
#   x-auth-user: admin        ← Traefik-set (non-canonical, ignored by most frameworks)
# Identity seen by backend = superadmin ✗
**Control test** — when `headerField` uses canonical casing (`X-Auth-User`), the attack fails. Traefik's write correctly overwrites the attacker's header. This is realistic because YAML conventions favor lowercase keys, Traefik docs don't warn about canonicalization, and the pattern of backends trusting the `headerField` header is recommended in Traefik's own documentation. **Fix suggestion:** 
// basic_auth.go:92 and digest_auth.go:100 — change:
req.Header[b.headerField] = []string{user}
// to:
req.Header.Set(b.headerField, user)
Also strip any incoming `headerField` header before the auth check with `req.Header.Del(b.headerField)`. ### Impact An authenticated attacker with valid credentials (even low-privilege) can impersonate any other user identity to backend services. If backends use the `headerField` header for authorization decisions (which is the intended use case per Traefik docs), this enables privilege escalation — e.g., a regular user impersonating an admin. The attack requires the operator to configure `headerField` with a non-canonical header name, which is the natural thing to do in YAML and is not warned against in documentation.
Severity ?
5.1 (Medium)
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.6.11"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-beta1"
            },
            {
              "fixed": "3.6.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0-ea.1"
            },
            {
              "fixed": "3.7.0-ea.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T20:35:53Z",
    "nvd_published_at": "2026-03-27T15:16:54Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThere is a potential vulnerability in Traefik\u0027s Basic and Digest authentication middlewares when `headerField` is configured with a non-canonical HTTP header name.\n\nAn authenticated attacker with valid credentials can inject the canonical version of the configured header to impersonate any identity to the backend. Because Traefik writes the authenticated username using a non-canonical map key, it creates a separate header entry rather than overwriting the attacker\u0027s canonical one \u2014 causing most backend frameworks to read the attacker-controlled value instead.\n\n## Patches\n\n- \u003chttps://github.com/traefik/traefik/releases/tag/v2.11.42\u003e\n- \u003chttps://github.com/traefik/traefik/releases/tag/v3.6.12\u003e\n- \u003chttps://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3\u003e\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\n\nWhen `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject a canonical version of that header to impersonate any identity to the backend. The backend receives two header entries \u2014 the attacker-injected canonical one is read first, overriding Traefik\u0027s non-canonical write.\n\nTested on Traefik v3.6.10.\n\n### Details\n\nAt `pkg/middlewares/auth/basic_auth.go:92`, the authenticated username is written using direct map assignment:\n\n```go\nreq.Header[b.headerField] = []string{user}\n```\n\nGo\u0027s `http.Header` map is keyed by canonical names (e.g., `X-Auth-User`). Direct assignment with a non-canonical key (`x-auth-user`) creates a separate map entry from any canonical-key entry already present. The attacker\u0027s `X-Auth-User: superadmin` occupies the canonical slot and is never overwritten by Traefik\u0027s non-canonical write.\n\nThe same bug exists in `pkg/middlewares/auth/digest_auth.go:100`. Notably, `forward.go:254` correctly uses `http.CanonicalHeaderKey()`, showing the fix pattern already exists in the codebase.\n\n### PoC\n\n**Traefik config (YAML, Docker labels, or REST API):**\n\n```yaml\nmiddlewares:\n  auth:\n    basicAuth:\n      users: [\"admin:$2y$05$...\"]\n      headerField: \"x-auth-user\"\n```\n\n**Normal request (baseline):**\n\n```bash\ncurl -u admin:admin http://traefik/secure/test\n# Backend receives: x-auth-user: admin\n# Identity = admin \u2713\n```\n\n**Attack request:**\n\n```bash\ncurl -u admin:admin -H \"X-Auth-User: superadmin\" http://traefik/secure/test\n# Backend receives BOTH headers:\n#   X-Auth-User: superadmin   \u2190 attacker-injected (canonical key, read first by most frameworks)\n#   x-auth-user: admin        \u2190 Traefik-set (non-canonical, ignored by most frameworks)\n# Identity seen by backend = superadmin \u2717\n```\n\n**Control test** \u2014 when `headerField` uses canonical casing (`X-Auth-User`), the attack fails. Traefik\u0027s write correctly overwrites the attacker\u0027s header.\n\nThis is realistic because YAML conventions favor lowercase keys, Traefik docs don\u0027t warn about canonicalization, and the pattern of backends trusting the `headerField` header is recommended in Traefik\u0027s own documentation.\n\n**Fix suggestion:**\n\n```go\n// basic_auth.go:92 and digest_auth.go:100 \u2014 change:\nreq.Header[b.headerField] = []string{user}\n// to:\nreq.Header.Set(b.headerField, user)\n```\n\nAlso strip any incoming `headerField` header before the auth check with `req.Header.Del(b.headerField)`.\n\n### Impact\n\nAn authenticated attacker with valid credentials (even low-privilege) can impersonate any other user identity to backend services. If backends use the `headerField` header for authorization decisions (which is the intended use case per Traefik docs), this enables privilege escalation \u2014 e.g., a regular user impersonating an admin.\n\nThe attack requires the operator to configure `headerField` with a non-canonical header name, which is the natural thing to do in YAML and is not warned against in documentation.\n\n\u003c/details\u003e",
  "id": "GHSA-qr99-7898-vr7c",
  "modified": "2026-03-27T20:35:53Z",
  "published": "2026-03-27T20:35:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33433"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.42"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.