NIXPKGS-2026-1649

GitHub issue published on

Permalink CVE-2026-41181

6.9 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): Low (L)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Low (L)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 7 hours ago by @LeSuisse Activity log

Created suggestion 15 hours ago
@LeSuisse ignored package traefik-certs-dumper 8 hours ago
@LeSuisse ignored reference https://g… 8 hours ago
@LeSuisse accepted 8 hours ago
@LeSuisse published on GitHub 7 hours ago

Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request's complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them. This vulnerability is fixed in 2.11.44, 3.6.15, and 3.7.0-rc.3.

References

https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v3.6.15 x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3 x_refsource_MISC

Ignored references (1)

https://github.com/traefik/traefik/releases/tag/v2.11.44 x_refsource_MISC

Affected products

traefik

==>= 3.0.0-beta1, < 3.6.14
==>= 3.7.0-rc.0, < 3.7.0-rc.3
==< 2.11.43

Matching in nixpkgs

pkgs.traefik

Modern reverse proxy

nixos-unstable 3.7.0-ea.2
- nixpkgs-unstable 3.7.0-ea.2
- nixos-unstable-small 3.7.0-ea.2
nixos-25.11 3.6.10
- nixos-25.11-small 3.6.10
- nixpkgs-25.11-darwin 3.6.10

Ignored packages (1)

pkgs.traefik-certs-dumper

Dump ACME data from traefik to certificates

nixos-unstable 2.11.2
- nixpkgs-unstable 2.11.2
- nixos-unstable-small 2.11.2
nixos-25.11 2.10.0
- nixos-25.11-small 2.10.0
- nixpkgs-25.11-darwin 2.10.0

Package maintainers

@vdemeester Vincent Demeester <vincent@sbr.pm>
@djds djds <git@djds.dev>