A high-severity authentication bypass vulnerability (CVE-2026-40912) in Traefik’s StripPrefixRegex middleware allows unauthenticated attackers to access protected backend resources by exploiting a desynchronization between decoded URL paths and raw percent-encoded paths, completely circumventing ForwardAuth, BasicAuth, and DigestAuth controls.
Traefik, the widely deployed cloud-native reverse proxy and load balancer built in Go, has been found to contain a critical authentication bypass flaw tracked as CVE-2026-40912 (GHSA-6jwx-7vp4-9847).
The vulnerability resides in the StripPrefixRegex middleware component and was responsibly disclosed by security researcher Gouldnicholas and published by Traefik maintainer nmengin on April 23, 2026. It carries a CVSS v4 base score of High, with subsequent system confidentiality impact rated High and integrity impact rated Low.
Traefik Auth Bypass Flaw
The flaw requires no authentication, no user interaction, and no special privileges. The attack vector is entirely network-based and low-complexity, making it trivially exploitable at scale.
At the heart of the vulnerability is a subtle but devastating logic error in pkg/middlewares/stripprefixregex/strip_prefix_regex.go, specifically at line 62:
req.URL.RawPath = ensureLeadingSlash(req.URL.RawPath[len(prefix):])The StripPrefixRegex middleware matches its configured regex against the decoded req.URL.Path (line 51) to extract the prefix. It then uses len(prefix) the byte length of the decoded prefix to slice the percent-encoded RawPath.
This is the critical flaw: when percent-encoded characters (e.g., %2e for a dot, %20 for a space) are present in the prefix region of the URL, the decoded and encoded representations differ in byte length, causing an incorrect slice of RawPath.
Example attack chain using %2e (percent-encoded dot):
GET /api%2e/admin/secretThe result, confirmed by the researcher’s proof-of-concept:
| Request | Response |
|---|---|
GET /api/admin/secret | 403 (Blocked) |
GET /api%2e/admin/secret | 200 (Auth Bypass Protected Content Served) |
GET /api%20/admin/secret | 404 (Space not normalized by backend) |
This behavior is classified under CWE-706: Use of Incorrectly-Resolved Name or Reference.
The bypass is effective against any backend that performs dot-segment normalization, which is standard RFC 3986 behavior automatically handled by Express.js, Go’s http.ServeMux, Spring Boot, and many other popular frameworks, no custom configuration needed.
This vulnerability is part of a broader wave of Traefik authentication bypass issues patched in the April 21, 2026, security release.
The same release addressed four additional CVEs: CVE-2026-39858 (forwarded alias spoofing bypass), CVE-2026-35051 (X-Forwarded-Prefix spoofing with trustForwardHeader=false), CVE-2026-41263, and CVE-2026-41174, all of which carry CVSS scores of 7.8.
Affected Versions
All Traefik deployments running the following versions are vulnerable:
- v2.x: All versions ≤ v2.11.42
- v3.x: All versions ≤ v3.6.13
- v3.7 RC: v3.7.0-rc.1 and below
Traefik released patches on April 21, 2026, across all supported branches:
| Affected Branch | Fixed Version |
|---|---|
| v2.11.x | v2.11.43 |
| v3.6.x | v3.6.14 |
| v3.7 RC | v3.7.0-rc.2 |
Organizations should immediately upgrade to a patched version. Until upgrading is feasible, administrators should audit all middleware chains using StripPrefixRegex in combination with any authentication middleware and consider temporarily removing or replacing StripPrefixRegex from chains that front sensitive endpoints.
Monitoring ingress logs for requests containing %2e, %2f, or other percent-encoded path separators targeting auth-protected routes is also strongly advised.
Traefik is among the most widely adopted ingress controllers in Kubernetes and Docker Swarm environments, where ForwardAuth is a standard pattern for centralizing authentication across microservices.
Because the exploit requires no credentials, no special headers, and no insider access, as reported by Traefik, just a specially crafted URL, the attack surface is enormous. Any internet-facing Traefik deployment using StripPrefixRegex with an auth middleware and a dot-segment-normalizing backend is fully exposed until patched.
FAQ
Q1: Does CVE-2026-40912 affect Traefik deployments that don’t use StripPrefixRegex?
Not only deployments where StripPrefixRegex is chained with ForwardAuth, BasicAuth, or DigestAuth in the same middleware stack, but they are also vulnerable.
Q2: Is there a working public exploit or PoC available for CVE-2026-40912?
Yes, the reporter confirmed a working Docker Compose-based PoCg curl --path-as-is "http://localhost:8080/api%2e/admin/secret" that returns HTTP 200 on unpatched Traefik v3.6.
Q3: Which backend frameworks are susceptible to dot-segment normalization that enables this bypass?
Express.js, Go’s http.ServeMux, and Spring Boot all perform RFC 3986 dot-segment normalization automatically, making them exploitable targets without any additional configuration.
Q4: What CVSS score is assigned to CVE-2026-40912, and what weakness type does it represent?
CVE-2026-40912 is rated High severity under CVSS v4 with subsequent system confidentiality impact scored as High, and is classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference).
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
