Summary
There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when headerField is configured with a non-canonical HTTP header name.
An authenticated attacker with valid credentials can inject the canonical version of the configured header to impersonate any identity to the backend. Because Traefik writes the authenticated username using a non-canonical map key, it creates a separate header entry rather than overwriting the attacker's canonical one, causing most backend frameworks to read the attacker-controlled value instead.
For more information
If there are any questions or comments about this advisory, please open an issue.
Original DescriptionWhen headerField is configured with a non-canonical HTTP header name (e.g., x-auth-user instead of X-Auth-User), an authenticated attacker can inject a canonical version of that header to impersonate any identity to the backend. The backend receives two header entries, the attacker-injected canonical one is read first, overriding Traefik's non-canonical write.
Tested on Traefik v3.6.10.
Details
At pkg/middlewares/auth/basic_auth.go:92, the authenticated username is written using direct map assignment:
req.Header[b.headerField] = []string{user}
Go's http.Header map is keyed by canonical names (e.g., X-Auth-User). Direct assignment with a non-canonical key (x-auth-user) creates a separate map entry from any canonical-key entry already present. The attacker's X-Auth-User: superadmin occupies the canonical slot and is never overwritten by Traefik's non-canonical write.
The same bug exists in pkg/middlewares/auth/digest_auth.go:100. Notably, forward.go:254 correctly uses http.CanonicalHeaderKey(), showing the fix pattern already exists in the codebase.
PoC
Traefik config (YAML, Docker labels, or REST API):
middlewares:
auth:
basicAuth:
users: ["admin:$2y$05$..."]
headerField: "x-auth-user"
Normal request (baseline):
curl -u admin:admin http://traefik/secure/test
# Backend receives: x-auth-user: admin
# Identity = admin ✓
Attack request:
curl -u admin:admin -H "X-Auth-User: superadmin" http://traefik/secure/test
# Backend receives BOTH headers:
# X-Auth-User: superadmin ← attacker-injected (canonical key, read first by most frameworks)
# x-auth-user: admin ← Traefik-set (non-canonical, ignored by most frameworks)
# Identity seen by backend = superadmin ✗
Control test, when headerField uses canonical casing (X-Auth-User), the attack fails. Traefik's write correctly overwrites the attacker's header.
This is realistic because YAML conventions favor lowercase keys, Traefik docs don't warn about canonicalization, and the pattern of backends trusting the headerField header is recommended in Traefik's own documentation.
Fix suggestion:
// basic_auth.go:92 and digest_auth.go:100, change:
req.Header[b.headerField] = []string{user}
// to:
req.Header.Set(b.headerField, user)
Also strip any incoming headerField header before the auth check with req.Header.Del(b.headerField).
Impact
An authenticated attacker with valid credentials (even low-privilege) can impersonate any other user identity to backend services. If backends use the headerField header for authorization decisions (which is the intended use case per Traefik docs), this enables privilege escalation, e.g., a regular user impersonating an admin.
The attack requires the operator to configure headerField with a non-canonical header name, which is the natural thing to do in YAML and is not warned against in documentation.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Frequently Asked Questions
- What is CVE-2026-33433? CVE-2026-33433 is a medium-severity security vulnerability in github.com/traefik/traefik/v2 (go), affecting versions < 2.11.42. It is fixed in 2.11.42, 3.6.12, 3.7.0-ea.3.
- Which packages are affected by CVE-2026-33433?
github.com/traefik/traefik/v2(go) (versions < 2.11.42)github.com/traefik/traefik/v3(go) (versions >= 3.0.0-beta1, < 3.6.11)
- Is there a fix for CVE-2026-33433? Yes. CVE-2026-33433 is fixed in 2.11.42, 3.6.12, 3.7.0-ea.3. Upgrade to this version or later.
- Is CVE-2026-33433 exploitable, and should I be worried? Whether CVE-2026-33433 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33433 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-33433?
- Upgrade
github.com/traefik/traefik/v2to 2.11.42 or later - Upgrade
github.com/traefik/traefik/v3to 3.6.12 or later - Upgrade
github.com/traefik/traefik/v3to 3.7.0-ea.3 or later
- Upgrade