Traefik StripPrefixRegex path desync bypasses ForwardAuth entirely
TL;DR - Send GET /api%2e/admin/secret through a Traefik instance using StripPrefixRegex. The middleware strips the prefix using byte offsets from the decoded path, leaving /./admin/secret in X-Forwarded-Uri. ForwardAuth sees a dot-segment path that doesn't match its protected patterns and waves the request through. The backend normalises /./admin/secret to /admin/secret and serves protected content. Unauthenticated access, no credentials required.
What happened
Traefik is a reverse proxy and ingress controller widely used to route HTTP traffic in container and Kubernetes environments. It's where many teams centralise authentication.
CVE-2026-40912 is an auth bypass rooted in how StripPrefixRegex handles percent-encoded URLs. The middleware matches the configured regex against the decoded Path, then uses the byte length of that decoded match to slice the percent-encoded RawPath. When the prefix contains percent-encoded characters, the lengths disagree. The sliced RawPath ends up containing dot-segments - for example /./admin/secret instead of /admin/secret.
That mangled path is what ForwardAuth sees in X-Forwarded-Uri. If its rules are written against the clean path /admin/secret, the dot-segment variant slips past. The backend then applies RFC 3986 normalisation, resolves /./admin/secret to /admin/secret, and serves the protected resource. BasicAuth and DigestAuth are also affected when used in the same middleware chain.
| Traefik line | Affected versions | Patched version |
|---|---|---|
github.com/traefik/traefik (v1) | <= 1.7.34 | None listed |
github.com/traefik/traefik/v2 | < 2.11.43 | 2.11.43 |
github.com/traefik/traefik/v3 | >= 3.0.0-beta1, < 3.6.14 and >= 3.7.0-ea.1, < 3.7.0-rc.2 | 3.6.14 and 3.7.0-rc.2 |
Path normalisation disagreements between proxy, auth middleware, and backend router are a persistent source of auth bypasses. Ingress proxies are exactly where teams tend to centralise access controls - which makes the blast radius here significant.
Who is impacted
- Traefik deployments that chain
StripPrefixRegexwithForwardAuth,BasicAuth, orDigestAuthin the same middleware stack. - Backends that normalise dot-segments - Express.js, Go's
http.ServeMux, and Spring Boot are called out as examples. - Any environment where an attacker can reach Traefik directly: internet-facing ingress, internal multi-tenant routing, shared platform clusters.
What to do now
- Upgrade immediately to a patched release for your major line:
- v2:
2.11.43 - v3:
3.6.14or3.7.0-rc.2
- v2:
- Inventory your middleware chains. Find every router or service that combines
StripPrefixRegexwithForwardAuth,BasicAuth, orDigestAuth. - Treat affected deployments as externally bypassable until you've confirmed you're on a patched release - especially if you route to backends that normalise dot-segments.
- If you're on v1 (
<= 1.7.34): the advisory lists no patched version for this line. Treat it as "no in-line fix available" and plan an upgrade to a supported major version as a priority.
Related
Guides
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.