{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T17:43:08.144","vulnerabilities":[{"cve":{"id":"CVE-2026-29054","sourceIdentifier":"security-advisories@github.com","published":"2026-03-05T19:16:15.277","lastModified":"2026-03-06T15:26:20.060","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9."},{"lang":"es","value":"Traefik es un proxy inverso HTTP y un equilibrador de carga. Desde la versión 2.11.9 hasta la 2.11.37 y desde la versión 3.1.3 hasta la 3.6.8, existe una potencial vulnerabilidad en Traefik al gestionar el encabezado Connection con los encabezados X-Forwarded. Cuando Traefik procesa solicitudes HTTP/1.1, la protección implementada para evitar la eliminación de los encabezados X-Forwarded gestionados por Traefik (como X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) a través del encabezado Connection no maneja correctamente la distinción entre mayúsculas y minúsculas. Los tokens de Connection se comparan con distinción entre mayúsculas y minúsculas con los nombres de los encabezados protegidos, pero la eliminación real del encabezado opera sin distinción entre mayúsculas y minúsculas. Como resultado, un cliente remoto no autenticado puede usar tokens de Connection en minúsculas (p. ej., Connection: x-real-ip) para eludir la protección y activar la eliminación de los encabezados de identidad reenviados gestionados por Traefik. Este problema ha sido parcheado en las versiones 2.11.38 y 3.6.9."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-178"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*","versionStartIncluding":"2.11.9","versionEndExcluding":"2.11.38","matchCriteriaId":"BBEECE25-1AC0-4A93-8CA9-3C1AEBF85E86"},{"vulnerable":true,"criteria":"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1.3","versionEndExcluding":"3.6.9","matchCriteriaId":"07558342-0979-427E-A153-610F1B378CD6"}]}]}],"references":[{"url":"https://github.com/traefik/traefik/releases/tag/v2.11.38","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/traefik/traefik/releases/tag/v3.6.9","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}