PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41181 traefik CVE debrief

Traefik's errors middleware inadvertently forwards complete request headers—including sensitive authentication material—to external error page services, contrary to documentation stating only Host is forwarded by default. This information disclosure occurs when backends return responses matching configured status ranges, exposing credentials across unintended service boundaries. The vulnerability affects Traefik versions prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, with fixes available in these releases. Operators using the errors middleware with distinct error page services should prioritize upgrades to prevent credential leakage to infrastructure not authorized to receive such data.

Vendor
traefik
Product
Unknown
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-19
Advisory published
2026-05-15
Advisory updated
2026-05-19

Who should care

Organizations operating Traefik reverse proxies with errors middleware configured to use distinct error page services, particularly those handling authenticated traffic where credential leakage to auxiliary infrastructure would constitute a security boundary violation. Infrastructure teams managing multi-service deployments where error page handling is segregated from primary application services should prioritize assessment and remediation.

Technical summary

The errors middleware in Traefik HTTP reverse proxy and load balancer versions prior to 2.11.44, 3.6.15, and 3.7.0-rc.3 exhibits an information disclosure vulnerability classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). When configured with custom error pages and a backend returns a response matching the configured status range, the middleware forwards the original request's complete header set—including Authorization, Cookie, and other authentication material—to the separate error page service. This behavior contradicts official documentation stating only the Host header is forwarded by default. The vulnerability enables credential exposure across service boundaries when operators deploy distinct error page infrastructure, as sensitive authentication data is transmitted to services not intended to receive such information. Attack surface is network-accessible with low attack complexity, though exploitation requires specific middleware configuration with separate error page services.

Defensive priority

high

Recommended defensive actions

  • Upgrade Traefik to version 2.11.44, 3.6.15, or 3.7.0-rc.3 or later to remediate this vulnerability
  • Review configurations using the errors middleware with distinct error page services to assess potential credential exposure
  • Audit error page service infrastructure for unauthorized access to forwarded authentication headers
  • Verify middleware documentation against actual behavior to identify any additional undocumented header forwarding

Evidence notes

Vendor advisory confirms undocumented header forwarding behavior; CPE criteria specify affected version ranges; CVSS 4.0 vector indicates network attack vector with low confidentiality impact to subsequent systems.

Official resources

public