CVE Tools
Sign in

CVE-2026-40912

Traefik: StripPrefixRegex auth bypass via Path/RawPath desync

Published: Apr 30, 2026Updated: May 1, 2026 Sources: CVE List NVD BDUCWE-706
NVD MITRE
8.2CVSSHIGH
EPSS Score
0.6%
Top 57.3%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret). ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:LA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:LIntegrity
Low
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-706

Affected Products

TraefikContainous
On-prem
Networking Infrastructure / load-balancer-proxy
traefiktraefik
On-prem
Networking Infrastructure / load-balancer-proxy
containousoss-projectFRNetworking Infrastructureaka containous
traefikoss-projectNetworking Infrastructureaka traefik enterprise

Exploitability

Official Patch Available

References

https://github.com/traefik/traefik/releases/tag/v2.11.43
github.com
https://github.com/traefik/traefik/releases/tag/v3.6.14
github.com
https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
github.com
and 4 more references View all →

Timeline

Published
Apr 30, 2026
Last Updated
May 1, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-40912 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows