Vulnerability GHSA-6384-m2mw-rf54: Information

Description

Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication

Severity: HIGH (7.8)

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Severity: (0.0)

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

URL: https://github.com/advisories/GHSA-6384-m2mw-rf54

Published: April 24, 2026

Modified: May 7, 2026

Error type identifier: CWE-345

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
traefik	sisyphus	3.6.15-alt1	3.6.17-alt1	ALT-PU-2026-7142-5	417190	Fixed
traefik	sisyphus_riscv64	3.6.15-alt1	3.6.17-alt1	ALT-PU-2026-7534-1	-	Fixed
traefik	sisyphus_loongarch64	3.6.15-alt1	3.6.17-alt1	ALT-PU-2026-7499-1	-	Fixed
traefik	p11	3.6.15-alt1	3.6.17-alt1	ALT-PU-2026-7164-5	417230	Fixed
traefik	c10f2	3.6.15-alt1	3.6.17-alt1	ALT-PU-2026-7154-5	417229	Fixed

Ecosystem	Name	Affected versions	Patched versions
Go	github.com/traefik/traefik/v3	>=3.7.0-ea.1, <3.7.0-rc.2 >=3.0.0-beta1, <3.6.14	3.7.0-rc.2 3.6.14
Go	github.com/traefik/traefik/v2	<2.11.43	2.11.43
Go	github.com/traefik/traefik	<=1.7.34	None

Hyperlink	Resource
https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54	WEB
https://nvd.nist.gov/vuln/detail/CVE-2026-35051	ADVISORY
https://github.com/traefik/traefik	PACKAGE
https://github.com/traefik/traefik/releases/tag/v2.11.43	WEB
https://github.com/traefik/traefik/releases/tag/v3.6.14	WEB
https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2	WEB
CVE-2026-35051	CVE
BDU:2026-06479	BDU

Version: v26.6.1