7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-29054

CVE-2026-29054: traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)

Impact

There is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers.

When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers.

This is a bypass of the fix for CVE-2024-45410.

Depending on the deployment, the impact may be higher if downstream services rely on these headers (such as X-Real-Ip or X-Forwarded-*) for authentication, authorization, routing, or scheme decisions.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.38
https://github.com/traefik/traefik/releases/tag/v3.6.9

Workarounds

No workaround available.

For more information

If there are any questions or comments about this advisory, please open an issue.

<details> <summary>Original Description</summary>

Traefik's XForwarded middleware (removeConnectionHeaders) tries to prevent clients from using the Connection header to strip trusted X-Forwarded-* headers, but the protection compares the Connection tokens case-sensitively while the deletion is case-insensitive.

As a result, a remote unauthenticated client can send a lowercase token like Connection: x-real-ip and still trigger deletion of traefik-managed X-Real-Ip (and similarly named headers in the managed list).

This can cause downstream routing, scheme, and header-based authn/authz decisions to be evaluated with missing trusted forwarding identity headers.

Severity

CRITICAL

Rationale: the PoC demonstrates an end-to-end access control bypass pattern when a downstream service uses proxy-provided identity headers (for example, X-Real-Ip) for IP allowlists or trust decisions. A remote unauthenticated client can strip the traefik-managed identity header via a lowercase Connection token, causing the downstream service to evaluate the request without the expected header signal.

Relevant Links

Repository: https://github.com/traefik/traefik
Pinned commit: a4a91344edcdd6276c1b766ca19ee3f0e346480f
Callsite (pinned): https://github.com/traefik/traefik/blob/a4a91344edcdd6276c1b766ca19ee3f0e346480f/pkg/middlewares/forwardedheaders/forwarded_header.go#L225

Vulnerability Details

Root Cause

removeConnectionHeaders uses a case-sensitive membership check for protected header names when inspecting Connection tokens, but it deletes headers via net/http which treats header names case-insensitively. A lowercase token bypasses the protection check and still triggers deletion.

Attacker Control / Attack Path

Remote unauthenticated HTTP client (untrusted IP) sends Connection: x-real-ip, and Traefik deletes the generated X-Real-Ip header.

Proof of Concept

The attached poc.zip contains a deterministic, make-based integration PoC with a canonical run and a negative control.

Canonical (vulnerable):

unzip poc.zip -d poc
cd poc
make test

Output contains:

[CALLSITE_HIT]: pkg/middlewares/forwardedheaders/forwarded_header.go:225
[PROOF_MARKER]: downstream_admin_bypass=1 x_real_ip_present=0

Control (same env, no lowercase token):

unzip poc.zip -d poc
cd poc
make test

Output contains:

[CALLSITE_HIT]: pkg/middlewares/forwardedheaders/forwarded_header.go:225
[NC_MARKER]: downstream_admin_bypass=0 x_real_ip_present=1

Expected: Connection tokens are handled case-insensitively and protected identity headers (for example, X-Real-Ip and X-Forwarded-*) are not deleted due to client-supplied Connection options (regardless of token casing).

Actual: Lowercase Connection tokens bypass the protection check and still trigger deletion of traefik-managed identity headers (for example, X-Real-Ip).

Recommended Fix

Case-fold (or otherwise canonicalize) Connection header tokens before comparing them against protected header names.
Add a regression test covering lowercase tokens (for example, Connection: x-real-ip).

Fix accepted when: a request with Connection: x-real-ip does not cause deletion of traefik-managed X-Real-Ip, and a regression test covers this behavior.

</details>

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-29054

CVE-2026-29054:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/traefik/traefik/v2	go	>= 2.11.9, <= 2.11.37	2.11.38
github.com/traefik/traefik/v3	go	>= 3.1.3, <= 3.6.8	3.6.9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a bypass of a previous security fix (CVE-2024-45410) in Traefik's forwarded headers middleware. The root cause is an improper handling of case sensitivity. An attacker can send a specially crafted Connection header with lowercase tokens (e.g., Connection: x-real-ip) to trick Traefik into deleting trusted, proxy-managed headers like X-Real-Ip.

The analysis of the patch commit 7494b5c9ff9e4304654f04d54962ccc500ee0da2 pinpoints the exact location of the vulnerability. The file pkg/middlewares/forwardedheaders/forwarded_header.go contains the flawed logic within the removeConnectionHeaders function.

Before the fix, the code iterated through the Connection header tokens and compared them case-sensitively against a list of protected headers. A lowercase token would not match, bypassing the check. However, the subsequent operation to remove the header is case-insensitive, leading to the deletion of the legitimate, canonicalized header (e.g., X-Real-Ip).

The patch corrects this by canonicalizing the token from the Connection header before performing the check, ensuring that variations in casing are handled correctly and the protected headers are not removed.

The primary vulnerable function is forwardedheaders.XForwarded.removeConnectionHeaders, as it contains the faulty logic. The forwardedheaders.XForwarded.ServeHTTP function is its caller and the entry point for the middleware, making it a key indicator in a runtime profile during exploitation.

Vulnerable functions

forwardedheaders.XForwarded.removeConnectionHeaders

pkg/middlewares/forwardedheaders/forwarded_header.go

The function processes tokens from the 'Connection' header. Before the patch, it performed a case-sensitive check to see if a token matched a protected header (like 'X-Real-Ip'). If an attacker provided a lowercase version ('x-real-ip'), this check would fail. The function would then proceed to delete the header using `req.Header.Del(sf)` (which was changed to `delete(req.Header, key)`), which is case-insensitive, thus removing the protected 'X-Real-Ip' header managed by Traefik.

forwardedheaders.XForwarded.ServeHTTP

pkg/middlewares/forwardedheaders/forwarded_header.go

This function is the main entry point for the XForwarded middleware. It calls the vulnerable `removeConnectionHeaders` function, and would therefore appear in any runtime profile or stack trace when the vulnerability is triggered by a malicious request.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-29054: traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)

Impact

Patches

Workarounds

For more information

Severity

Relevant Links

Vulnerability Details

Root Cause

Attacker Control / Attack Path

Proof of Concept

Recommended Fix

CVE-2026-29054:

7.5

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

7.5

7.5

CVE-2026-29054: traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)

Impact

Patches

Workarounds

For more information

Severity

Relevant Links

Vulnerability Details

Root Cause

Attacker Control / Attack Path

Proof of Concept

Recommended Fix

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI