Description

Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9.

INFO

Published Date :

2026-03-05T16:18:49.230Z

Last Modified :

2026-03-06T16:11:57.698Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-29054 vulnerability.

Vendors Products
Traefik
  • Traefik
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-29054.

URL Resource
https://github.com/traefik/traefik/releases/tag/v2.11.38 cve-icon cve-icon cve-icon
https://github.com/traefik/traefik/releases/tag/v3.6.9 cve-icon cve-icon cve-icon
https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-29054 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-29054 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact