{
  "threat_severity" : "Important",
  "public_date" : "2026-04-30T20:26:06Z",
  "bugzilla" : {
    "description" : "Traefik: github.com/traefik/traefik: Traefik: Authentication bypass in ForwardAuth middleware",
    "id" : "2464235",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464235"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-501",
  "details" : [ "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.", "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This authentication bypass vulnerability exists in Traefik's ForwardAuth middleware when the `trustForwardHeader` setting is configured as `false` and Traefik is deployed behind a trusted upstream proxy. A remote attacker could exploit this to bypass authentication, potentially gaining unauthorized access to protected resources." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.28",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21772",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9",
    "package" : "devspaces/traefik-rhel9:1779786779"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-35051\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35051\nhttps://github.com/traefik/traefik/releases/tag/v2.11.43\nhttps://github.com/traefik/traefik/releases/tag/v3.6.14\nhttps://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2\nhttps://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54" ],
  "name" : "CVE-2026-35051",
  "mitigation" : {
    "value" : "To mitigate this issue, ensure that the `trustForwardHeader` setting in Traefik's ForwardAuth middleware is not explicitly configured as `false` unless absolutely necessary. If Traefik is deployed behind a trusted upstream proxy, review the configuration to ensure that `trustForwardHeader` is either set to `true` or omitted, allowing Traefik to correctly process forwarded headers for authentication. If this configuration is modified, a restart or reload of the Traefik service may be required for the changes to take effect.",
    "lang" : "en:us"
  },
  "csaw" : false
}