CVE-2026-35051 Common Vulnerabilities and Exposures

Upstream information

CVE-2026-35051 at MITRE

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

SUSE information

Overall state of this security issue: Does not affect SUSE products

SUSE Bugzilla entry: 1263866 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Tumbleweed	`traefik >= 3.6.15-1.1` `traefik2 >= 2.11.44-1.1`	Patchnames: openSUSE-Tumbleweed-2026-10697 openSUSE-Tumbleweed-2026-10698

SUSE Timeline for this CVE

CVE page created: Fri May 1 00:01:01 2026
CVE page last modified: Fri May 8 12:08:57 2026