{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T07:52:25.411","vulnerabilities":[{"cve":{"id":"CVE-2026-26998","sourceIdentifier":"security-advisories@github.com","published":"2026-03-05T19:16:05.140","lastModified":"2026-03-06T15:27:01.330","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is read entirely into memory without any size limit. There is no maxResponseBodySize configuration to restrict the amount of data read from the authentication server response. If the authentication server returns an unexpectedly large or unbounded response body, Traefik will allocate unlimited memory, potentially causing an out-of-memory (OOM) condition that crashes the process. This results in a denial of service for all routes served by the affected Traefik instance. This issue has been patched in versions 2.11.38 and 3.6.9."},{"lang":"es","value":"Traefik es un proxy inverso HTTP y un balanceador de carga. Antes de las versiones 2.11.38 y 3.6.9, existe una posible vulnerabilidad en Traefik al gestionar las respuestas del middleware ForwardAuth. Cuando Traefik está configurado para usar el middleware ForwardAuth, el cuerpo de la respuesta del servidor de autenticación se lee completamente en la memoria sin ningún límite de tamaño. No existe una configuración maxResponseBodySize para restringir la cantidad de datos leídos de la respuesta del servidor de autenticación. Si el servidor de autenticación devuelve un cuerpo de respuesta inesperadamente grande o ilimitado, Traefik asignará memoria ilimitada, lo que podría causar una condición de falta de memoria (OOM) que bloquee el proceso. Esto resulta en una denegación de servicio para todas las rutas servidas por la instancia de Traefik afectada. Este problema ha sido parcheado en las versiones 2.11.38 y 3.6.9."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H","baseScore":4.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":0.7,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*","versionEndExcluding":"2.11.38","matchCriteriaId":"2F729E45-F8B4-4A50-A2BE-C52CFFEB888D"},{"vulnerable":true,"criteria":"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.6.9","matchCriteriaId":"AFEBE8EC-89F8-415A-8BB4-209F070117B7"}]}]}],"references":[{"url":"https://github.com/traefik/traefik/releases/tag/v2.11.38","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/traefik/traefik/releases/tag/v3.6.9","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/traefik/traefik/security/advisories/GHSA-fw45-f5q2-2p4x","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}