2444872 – (CVE-2026-29054) CVE-2026-29054 github.com/traefik/traefik: Traefik: Information disclosure due to case-insensitive Connection header processing

Bug 2444872 (CVE-2026-29054) - CVE-2026-29054 github.com/traefik/traefik: Traefik: Information disclosure due to case-insensitive Connection header processing

Summary: CVE-2026-29054 github.com/traefik/traefik: Traefik: Information disclosure du...

Keywords:
Status:	NEW
Alias:	CVE-2026-29054
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-05 19:01 UTC by OSIDB Bzimport
Modified:	2026-03-05 19:34 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-05 19:01:27 UTC

Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9.

Note You need to log in before you can comment on or make changes to this bug.