2444876 – (CVE-2026-26998) CVE-2026-26998 github.com/traefik/traefik: Traefik: Denial of Service due to unbounded ForwardAuth middleware response processing

Bug 2444876 (CVE-2026-26998) - CVE-2026-26998 github.com/traefik/traefik: Traefik: Denial of Service due to unbounded ForwardAuth middleware response processing

Summary: CVE-2026-26998 github.com/traefik/traefik: Traefik: Denial of Service due to ...

Keywords:
Status:	NEW
Alias:	CVE-2026-26998
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-05 19:01 UTC by OSIDB Bzimport
Modified:	2026-03-05 19:33 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-05 19:01:39 UTC

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is read entirely into memory without any size limit. There is no maxResponseBodySize configuration to restrict the amount of data read from the authentication server response. If the authentication server returns an unexpectedly large or unbounded response body, Traefik will allocate unlimited memory, potentially causing an out-of-memory (OOM) condition that crashes the process. This results in a denial of service for all routes served by the affected Traefik instance. This issue has been patched in versions 2.11.38 and 3.6.9.

Note You need to log in before you can comment on or make changes to this bug.