On February 23, 2026, we patched the following vulnerabilities with Traefik Proxy 2.11.38 and 3.6.9:
CVE-2026-29054 (Advisory GHSA-92mv-8f8w-wq52) — High (CVSS 7.5)
Case-Sensitive Bypass in Connection Header Allows Removal of X-Forwarded Headers
CVE-2026-26999 (Advisory GHSA-xw98-5q62-jx94) — High (CVSS 7.5)
TLS Handshake Error Handling Allows Stalled Connections on TCP Routers
CVE-2026-26998 (Advisory GHSA-fw45-f5q2-2p4x) — Moderate (CVSS 4.4)
ForwardAuth Middleware Allows Unbounded Response Body, Causing Potential Denial of Service
We recommend all users upgrade to v2.11.38 or v3.6.9 as soon as possible.
If you have any questions or comments about these vulnerabilities, please add a comment below.