{"id":"CVE-2026-33433","summary":"Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField","details":"Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.","aliases":["GHSA-qr99-7898-vr7c","GO-2026-4893"],"modified":"2026-04-10T05:42:46.448467Z","published":"2026-03-27T13:49:08.455Z","related":["CGA-3gjm-565p-wgqh","SUSE-SU-2026:1205-1"],"database_specific":{"cwe_ids":["CWE-290"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33433.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33433.json"},{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v2.11.42"},{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v3.6.11"},{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3"},{"type":"ADVISORY","url":"https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33433"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/traefik/traefik","events":[{"introduced":"0"},{"fixed":"e4b2c648bf78b29a97a560571510b61eb7dc67b6"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.11.42"}]}},{"type":"GIT","repo":"https://github.com/traefik/traefik","events":[{"introduced":"519ed8bde58e9ebc6d9618a38a351208820cf273"},{"fixed":"33219a0af86c41a8db81d37c444f65172bfb3e35"}],"database_specific":{"versions":[{"introduced":"3.0.0-beta1"},{"fixed":"3.6.11"}]}},{"type":"GIT","repo":"https://github.com/traefik/traefik","events":[{"introduced":"67c64ed9b25fbb90f1086977a62827133a7aa01b"},{"fixed":"9990cfc613835f32d831174bd2d5dea6b2c1e45a"}],"database_specific":{"versions":[{"introduced":"3.7.0-ea.1"},{"fixed":"3.7.0-ea.3"}]}}],"versions":["v1.0","v1.0.0","v1.0.0-beta.211","v1.0.0-beta.212","v1.0.0-beta.220","v1.0.0-beta.224","v1.0.0-beta.247","v1.0.0-beta.254","v1.0.0-beta.277","v1.0.0-beta.280","v1.0.0-beta.287","v1.0.0-beta.289","v1.0.0-beta.291","v1.0.0-beta.300","v1.0.0-beta.324","v1.0.0-beta.339","v1.0.0-beta.341","v1.0.0-beta.352","v1.0.0-beta.355","v1.0.0-beta.366","v1.0.0-beta.374","v1.0.0-beta.392","v1.0.0-beta.395","v1.0.0-beta.404","v1.0.0-beta.408","v1.0.0-beta.416","v1.0.0-beta.421","v1.0.0-beta.427","v1.0.0-beta.433","v1.0.0-beta.436","v1.0.0-beta.440","v1.0.0-beta.442","v1.0.0-beta.453","v1.0.0-beta.470","v1.0.0-beta.475","v1.0.0-beta.481","v1.0.0-beta.484","v1.0.0-beta.505","v1.0.0-beta.508","v1.0.0-beta.513","v1.0.0-beta.524","v1.0.0-beta.545","v1.0.0-beta.548","v1.0.0-beta.555","v1.0.0-beta.573","v1.0.0-beta.576","v1.0.0-beta.582","v1.0.0-beta.601","v1.0.0-beta.610","v1.0.0-beta.614","v1.0.0-beta.621","v1.0.0-beta.644","v1.0.0-beta.652","v1.0.0-beta.666","v1.0.0-beta.673","v1.0.0-beta.676","v1.0.0-beta.682","v1.0.0-beta.692","v1.0.0-beta.695","v1.0.0-beta.704","v1.0.0-beta.712","v1.0.0-beta.721","v1.0.0-beta.723","v1.0.0-beta.732","v1.0.0-beta.744","v1.0.0-beta.754","v1.0.0-beta.756","v1.0.0-beta.767","v1.0.0-beta.771","v1.0.0-beta.784","v1.0.0-beta.794","v1.0.0-beta.804","v1.0.0-beta.809","v1.0.0-rc1","v1.0.0-rc2","v1.0.0-rc3","v1.0.alpha.0e683cc5355bc507dabac68bbc7559d3f179e185","v1.0.alpha.11781087cadf9068d1d0b43902b6161ee10ea458","v1.0.alpha.157","v1.0.alpha.164","v1.0.alpha.170","v1.0.alpha.171","v1.0.alpha.176","v1.0.alpha.178","v1.0.alpha.182","v1.0.alpha.186","v1.0.alpha.1a5668377cc840a35d233a0eb817ee9bacf0ba3e","v1.0.alpha.200","v1.0.alpha.212","v1.0.alpha.215","v1.0.alpha.216","v1.0.alpha.217","v1.0.alpha.228","v1.0.alpha.247","v1.0.alpha.249","v1.0.alpha.250","v1.0.alpha.251","v1.0.alpha.252","v1.0.alpha.256","v1.0.alpha.257","v1.0.alpha.263","v1.0.alpha.266","v1.0.alpha.267","v1.0.alpha.268","v1.0.alpha.269","v1.0.alpha.270","v1.0.alpha.271","v1.0.alpha.272","v1.0.alpha.273","v1.0.alpha.274","v1.0.alpha.275","v1.0.alpha.285","v1.0.alpha.288","v1.0.alpha.290","v1.0.alpha.291","v1.0.alpha.302","v1.0.alpha.306","v1.0.alpha.311","v1.0.alpha.329","v1.0.alpha.331cd173ce8ad858d767510fbcbc653e2dde657d","v1.0.alpha.333","v1.0.alpha.336","v1.0.alpha.338","v1.0.alpha.341","v1.0.alpha.357","v1.0.alpha.358","v1.0.alpha.361","v1.0.alpha.364","v1.0.alpha.367","v1.0.alpha.374","v1.0.alpha.392","v1.0.alpha.3af21612b65fc578585a98c30090d1e613f791eb","v1.0.alpha.404","v1.0.alpha.412","v1.0.alpha.418","v1.0.alpha.421","v1.0.alpha.425","v1.0.alpha.439","v1.0.alpha.443","v1.0.alpha.450","v1.0.alpha.463","v1.0.alpha.469","v1.0.alpha.471","v1.0.alpha.477","v1.0.alpha.481","v1.0.alpha.4c447985b63f8c90dcbde70b2eaef19d9a8c5ad2","v1.0.alpha.4ded2682d2831ed703282b2f4585e17a62ee258e","v1.0.alpha.506","v1.0.alpha.516","v1.0.alpha.522","v1.0.alpha.60e9282f0adac48cbf283306ceb08ad7a31ac94b","v1.0.alpha.6c3c5578c64125838abbc437a0242e1742d6f47a","v1.0.alpha.71b0e27517841ec7b911bafb109846ee96109f30","v1.0.alpha.7acc2beae0f0235d9408e8ed7a51f0ef3dae3aff","v1.0.alpha.9830086790caf40ce30eb9ed5d317917f8157708","v1.0.alpha.99646544953d5793f18ccb22dae2458be4ba0e05","v1.0.alpha.a00eb81f0301f5e61024dea3b92ba632d6a61a8b","v1.0.alpha.a458018aa2ccb637abacfc696157e00321cf982f","v1.0.alpha.ac56c1310c46f9c18dcad9d7ec680926fae821bb","v1.0.alpha.b42b170ad29a0f042ddee0f5a5098aa9a59a9c8e","v1.0.alpha.b84b95fe97df5c0f234d8693fbff03fa0d6a441b","v1.0.alpha.e0872b61579c8e6b8fc6124c8836660c11840f5d","v1.1.0-rc1","v1.3.0-rc1","v1.4.0-rc1","v1.5.0-rc1","v1.6.0-rc1","v1.7.0-rc1","v2.0.0-alpha1","v2.1.0-rc1","v2.1.0-rc2","v2.10.0","v2.10.0-rc1","v2.10.0-rc2","v2.10.1","v2.10.2","v2.10.3","v2.10.4","v2.10.5","v2.10.6","v2.10.7","v2.11.0","v2.11.0-rc1","v2.11.0-rc2","v2.11.1","v2.11.10","v2.11.11","v2.11.12","v2.11.13","v2.11.14","v2.11.15","v2.11.16","v2.11.17","v2.11.18","v2.11.19","v2.11.2","v2.11.20","v2.11.21","v2.11.22","v2.11.23","v2.11.24","v2.11.25","v2.11.26","v2.11.27","v2.11.28","v2.11.29","v2.11.3","v2.11.30","v2.11.31","v2.11.32","v2.11.33","v2.11.34","v2.11.35","v2.11.36","v2.11.37","v2.11.38","v2.11.39","v2.11.4","v2.11.40","v2.11.41","v2.11.5","v2.11.6","v2.11.7","v2.11.8","v2.11.9","v2.2.0-rc1","v2.2.0-rc2","v2.2.0-rc3","v2.2.0-rc4","v2.3.0-rc1","v2.4.0","v2.4.0-rc1","v2.4.0-rc2","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.5.0-rc1","v2.6.0-rc1","v2.7.0","v2.7.0-rc1","v2.7.0-rc2","v2.8.0-rc1","v2.9.0-rc1","v2.9.0-rc2","v2.9.0-rc3","v2.9.0-rc4","v2.9.0-rc5","v2.9.1","v2.9.2","v2.9.3","v2.9.4","v2.9.5","v2.9.6","v2.9.7","v2.9.8","v3.0.0-beta1","v3.0.0-beta2","v3.1.0-rc1","v3.2.0-rc1","v3.3.0-rc1","v3.4.0-rc1","v3.5.0-rc1","v3.6.0","v3.6.0-rc1","v3.6.1","v3.6.10","v3.6.2","v3.6.3","v3.6.4","v3.6.5","v3.6.6","v3.6.7","v3.6.8","v3.6.9","v3.7.0-ea.1","v3.7.0-ea.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33433.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"}]}