Find a vulnerability
Search criteria
115 vulnerabilities found for Traefik by Traefik
CVE-2026-54762 (GCVE-0-2026-54762)
Vulnerability from nvd – Published: 2026-06-23 19:17 – Updated: 2026-06-24 12:41| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v3.7.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T12:40:27.663071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T12:41:44.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik\u0027s Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency \u2014 a missing, malformed, unreadable, or policy-denied Secret \u2014 rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-636",
"description": "CWE-636: Not Failing Securely (\u0027Failing Open\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:17:07.491Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-4mr2-fg2p-w63c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-4mr2-fg2p-w63c"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.5"
}
],
"source": {
"advisory": "GHSA-4mr2-fg2p-w63c",
"discovery": "UNKNOWN"
},
"title": "Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54762",
"datePublished": "2026-06-23T19:17:07.491Z",
"dateReserved": "2026-06-15T23:12:41.966Z",
"dateUpdated": "2026-06-24T12:41:44.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54761 (GCVE-0-2026-54761)
Vulnerability from nvd – Published: 2026-06-23 19:15 – Updated: 2026-06-25 12:45| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v3.6.21 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.7.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:45:14.367141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:45:24.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.21"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik\u0027s Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route\u0027s own namespace. As a result, an HTTPRoute created in a namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow-listed namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself. This vulnerability is fixed in 3.6.21 and 3.7.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:15:38.410Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-3g6v-2r68-prfc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-3g6v-2r68-prfc"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.21"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.5"
}
],
"source": {
"advisory": "GHSA-3g6v-2r68-prfc",
"discovery": "UNKNOWN"
},
"title": "Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54761",
"datePublished": "2026-06-23T19:15:38.410Z",
"dateReserved": "2026-06-15T23:12:41.966Z",
"dateUpdated": "2026-06-25T12:45:24.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53622 (GCVE-0-2026-53622)
Vulnerability from nvd – Published: 2026-06-23 19:13 – Updated: 2026-06-30 12:09| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v3.7.3 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-53622 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491924 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
< 3.7.3
|
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:44:08.806237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:44:19.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-23T19:13:28.844Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This critical vulnerability in Traefik\u0027s HTTP/3 (QUIC) TLS configuration selection allows unauthenticated clients to bypass router-specific mutual Transport Layer Security (mTLS) enforcement. When HTTP/3 is enabled and a router uses wildcard host rules or case-insensitive hostname matching with client certificate authentication, an attacker can complete the QUIC handshake without presenting a certificate. This bypass grants unauthorized access to a backend that should be protected by mTLS."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-289",
"description": "Authentication Bypass by Alternate Name",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:27.550Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-53622"
},
{
"name": "RHBZ#2491924",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491924"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53622.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T20:01:29.612Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-23T19:13:28.844Z",
"value": "Made public."
}
],
"title": "github.com/traefik/traefik: Traefik: mTLS enforcement bypass due to HTTP/3 TLS configuration flaw",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, disable HTTP/3 (QUIC) on Traefik entrypoints. This prevents the TLS configuration selection flaw that leads to mTLS bypass. Consult Traefik documentation for specific configuration steps to disable HTTP/3. Restarting the Traefik service will be required for the changes to take effect."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 3.7.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik\u0027s HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration \u2014 which may not require client certificates \u2014 a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker. This vulnerability is fixed in 3.7.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:13:28.844Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-9cr8-q42q-g8m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-9cr8-q42q-g8m7"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
}
],
"source": {
"advisory": "GHSA-9cr8-q42q-g8m7",
"discovery": "UNKNOWN"
},
"title": "Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53622",
"datePublished": "2026-06-23T19:13:28.844Z",
"dateReserved": "2026-06-09T20:16:59.646Z",
"dateUpdated": "2026-06-30T12:09:27.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48491 (GCVE-0-2026-48491)
Vulnerability from nvd – Published: 2026-06-23 19:12 – Updated: 2026-06-30 12:09| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v3.7.3 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-48491 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491923 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
>= 3.7.0, < 3.7.3
|
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48491",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T14:31:36.691139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:31:59.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-23T19:12:10.819Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability allows an unauthenticated client to bypass mutual Transport Layer Security (TLS) enforcement, a security measure that verifies both client and server identities. The bypass occurs due to an issue in Traefik\u0027s domain-fronting protection (SNICheck), which incorrectly processes TLS options for HTTP Host headers. As a result, an attacker can gain unauthorized access to protected backend services without presenting a required client certificate."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:58.744Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-48491"
},
{
"name": "RHBZ#2491923",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491923"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48491.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T20:01:26.461Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-23T19:12:10.819Z",
"value": "Made public."
}
],
"title": "Traefik: Traefik: Unauthorized access due to mutual TLS bypass",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, avoid configuring Traefik with wildcard host rules (e.g., Host(*.example.com)) alongside strict TLS options such as RequireAndVerifyClientCert on entrypoints that also serve permissive SNI configurations. Alternatively, restrict network access to Traefik\u0027s entrypoints to trusted networks only, thereby limiting potential exposure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik\u0027s domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:12:10.819Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
}
],
"source": {
"advisory": "GHSA-5r4w-85f3-pw66",
"discovery": "UNKNOWN"
},
"title": "Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48491",
"datePublished": "2026-06-23T19:12:10.819Z",
"dateReserved": "2026-05-21T15:33:08.291Z",
"dateUpdated": "2026-06-30T12:09:58.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48020 (GCVE-0-2026-48020)
Vulnerability from nvd – Published: 2026-06-23 19:10 – Updated: 2026-06-30 12:09| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.19 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.7.3 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-48020 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491915 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
>= 3.7.0-ea.1, < 3.7.3
Affected: >= 3.0.0-beta1, < 3.6.19 Affected: < 2.11.48 |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T13:37:15.853351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T13:37:28.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-23T19:10:31.557Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability exists in the StripPrefix middleware, allowing an unauthenticated attacker to bypass route-level authentication and authorization. By crafting a request path containing \u0027..\u0027 or its percent-encoded form, an attacker can access protected backend paths, such as administrative or internal configuration endpoints, without proper authentication. This could lead to unauthorized information disclosure or modification of sensitive settings."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:59.927Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-48020"
},
{
"name": "RHBZ#2491915",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491915"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48020.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T20:00:57.714Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-23T19:10:31.557Z",
"value": "Made public."
}
],
"title": "github.com/traefik/traefik: Traefik: Authentication bypass in StripPrefix middleware allows unauthorized access to protected paths",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.3"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.19"
},
{
"status": "affected",
"version": "\u003c 2.11.48"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik\u0027s StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths \u2014 such as admin or internal configuration endpoints \u2014 without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:10:31.557Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.48"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.19",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.19"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
}
],
"source": {
"advisory": "GHSA-xf64-8mw2-4gr2",
"discovery": "UNKNOWN"
},
"title": "Traefik StripPrefix Route-Level Auth Bypass via Path Normalization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48020",
"datePublished": "2026-06-23T19:10:31.557Z",
"dateReserved": "2026-05-20T17:44:09.587Z",
"dateUpdated": "2026-06-30T12:09:59.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54365 (GCVE-0-2023-54365)
Vulnerability from nvd – Published: 2026-06-23 12:12 – Updated: 2026-06-30 12:07| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | vendor-advisory |
| https://www.vulncheck.com/advisories/traefik-deni… | third-party-advisory |
| https://access.redhat.com/security/cve/CVE-2023-54365 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491710 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| Traefik | Traefik |
Affected:
0 , < 2.10.5
(semver)
Unaffected: 2.10.5 (semver) |
|
| Traefik | Traefik |
Affected:
3.0.0-beta1 , < 3.0.0-beta4
(semver)
Unaffected: 3.0.0-beta4 (semver) |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-54365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T18:13:32.219989Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T18:13:51.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-23T12:12:51.853Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik\u0027s HTTP/2 request handling. A remote attacker can exploit this vulnerability by rapidly creating and canceling HTTP/2 streams. This can exhaust server resources, leading to a denial of service (DoS) and making the service unavailable to legitimate users. This issue is inherited from the Go standard library\u0027s HTTP/2 implementation, known as the \u0027Rapid Reset\u0027 technique."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:27.277Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-54365"
},
{
"name": "RHBZ#2491710",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491710"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2023/cve-2023-54365.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T13:01:50.400Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-23T12:12:51.853Z",
"value": "Made public."
}
],
"title": "github.com/traefik/traefik: net/http2: Traefik: Denial of Service via HTTP/2 Rapid Reset technique",
"workarounds": [
{
"lang": "en",
"value": "The recommended mitigation is to upgrade Traefik to a version that includes the patched HTTP/2 dependency."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/github.com/traefik/traefik",
"product": "Traefik",
"vendor": "Traefik",
"versions": [
{
"lessThan": "2.10.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.10.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/github.com/traefik/traefik",
"product": "Traefik",
"vendor": "Traefik",
"versions": [
{
"lessThan": "3.0.0-beta4",
"status": "affected",
"version": "3.0.0-beta1",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.0.0-beta4",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:traefik:traefik_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.21.3, 1.20.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:traefik:traefik_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.10.5, v3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-10-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library\u0027s HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the \u0027Rapid Reset\u0027 technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:12:51.853Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-7v4p-328v-8v5g)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-7v4p-328v-8v5g"
},
{
"name": "VulnCheck Advisory: Traefik - Denial of Service via HTTP/2 Request Handling",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/traefik-denial-of-service-via-http-2-request-handling"
}
],
"title": "Traefik - Denial of Service via HTTP/2 Request Handling",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-54365",
"datePublished": "2026-06-23T12:12:51.853Z",
"dateReserved": "2026-06-22T21:54:30.246Z",
"dateUpdated": "2026-06-30T12:07:27.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44774 (GCVE-0-2026-44774)
Vulnerability from nvd – Published: 2026-05-15 16:30 – Updated: 2026-06-30 12:10| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.17 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.7.1 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-44774 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477937 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
< 2.11.46
Affected: >= 3.0.0-beta1, < 3.6.17 Affected: >= 3.7.0-rc.0, < 3.7.1 |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
|
| Red Hat | Red Hat OpenShift GitOps |
cpe:/a:redhat:openshift_gitops:1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T01:12:38.060089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T01:12:49.947Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-15T16:30:43.265Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik. A low-privileged tenant with HTTPRoute creation permissions in Traefik\u0027s Kubernetes Gateway API provider can bypass security settings. This allows the tenant to expose the REST provider handler and gain live dynamic configuration write access to Traefik. This vulnerability enables unauthorized reconfiguration of routers and services, potentially leading to privilege escalation within the system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-15",
"description": "External Control of System or Configuration Setting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:24.075Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-44774"
},
{
"name": "RHBZ#2477937",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477937"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44774.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T17:01:12.579Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-15T16:30:43.265Z",
"value": "Made public."
}
],
"title": "traefik: Traefik: Privilege escalation via Kubernetes Gateway API provider configuration bypass",
"workarounds": [
{
"lang": "en",
"value": "Upgrade Traefik to version 2.11.46 or later (2.x line), 3.6.17 or later (3.6.x line), or 3.7.1 or later (3.7.x line) by installing updated Red Hat OpenShift Dev Spaces releases that ship a fixed traefik-rhel9 container image.\n\nUntil updated images are available, limit which principals can create HTTPRoute resources in namespaces where Traefik runs with the Kubernetes Gateway API provider. Disable or tightly restrict the Traefik REST dynamic configuration provider in shared Gateway deployments, and block untrusted use of TraefikService backends that reference @internal handlers."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.46"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.17"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-rc.0, \u003c 3.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik\u0027s Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T16:30:43.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.46",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.46"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.17"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.1"
}
],
"source": {
"advisory": "GHSA-96qj-4jj5-wcjc",
"discovery": "UNKNOWN"
},
"title": "Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44774",
"datePublished": "2026-05-15T16:30:43.265Z",
"dateReserved": "2026-05-07T19:20:44.688Z",
"dateUpdated": "2026-06-30T12:10:24.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41181 (GCVE-0-2026-41181)
Vulnerability from nvd – Published: 2026-05-15 16:27 – Updated: 2026-05-16 01:11- CWE-201 - Insertion of Sensitive Information Into Sent Data
| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.15 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41181",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T01:10:51.338125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T01:11:03.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0-rc.0, \u003c 3.7.0-rc.3"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
},
{
"status": "affected",
"version": "\u003c 2.11.43"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik\u0027s errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request\u0027s complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them. This vulnerability is fixed in 2.11.44, 3.6.15, and 3.7.0-rc.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T16:27:14.823Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.44",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.44"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.15"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3"
}
],
"source": {
"advisory": "GHSA-p6hg-qh38-555r",
"discovery": "UNKNOWN"
},
"title": "Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41181",
"datePublished": "2026-05-15T16:27:14.823Z",
"dateReserved": "2026-04-17T16:34:45.526Z",
"dateUpdated": "2026-05-16T01:11:03.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41263 (GCVE-0-2026-41263)
Vulnerability from nvd – Published: 2026-04-30 20:39 – Updated: 2026-05-01 14:22- CWE-208 - Observable Timing Discrepancy
| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.14 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:22:30.689474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:22:40.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.43"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik\u0027s BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:39:49.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.43"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.14"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"
}
],
"source": {
"advisory": "GHSA-6x2q-h3cr-8j2h",
"discovery": "UNKNOWN"
},
"title": "Traefik: BasicAuth middleware: timing side-channel vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41263",
"datePublished": "2026-04-30T20:39:49.658Z",
"dateReserved": "2026-04-18T14:01:46.801Z",
"dateUpdated": "2026-05-01T14:22:40.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41174 (GCVE-0-2026-41174)
Vulnerability from nvd – Published: 2026-04-30 20:20 – Updated: 2026-05-04 13:26| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/commit/df00d82… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.14 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T13:25:25.541487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T13:26:08.289Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.43"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik\u0027s Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from IngressRoute objects, but fails to apply the same restriction to middleware references nested inside a Chain middleware\u0027s spec.chain.middlewares[]. An actor with permission to create or update Traefik CRDs in their own namespace can exploit this to cause Traefik to resolve and apply middleware objects from another namespace, bypassing the documented isolation boundary. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653: Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:20:29.679Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-xhjw-95fp-8vgq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-xhjw-95fp-8vgq"
},
{
"name": "https://github.com/traefik/traefik/commit/df00d82fc7f12e07199551832b54de6d0e55414d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/commit/df00d82fc7f12e07199551832b54de6d0e55414d"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.43"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.14"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"
}
],
"source": {
"advisory": "GHSA-xhjw-95fp-8vgq",
"discovery": "UNKNOWN"
},
"title": "Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41174",
"datePublished": "2026-04-30T20:20:29.679Z",
"dateReserved": "2026-04-17T16:34:45.526Z",
"dateUpdated": "2026-05-04T13:26:08.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40912 (GCVE-0-2026-40912)
Vulnerability from nvd – Published: 2026-04-30 20:38 – Updated: 2026-06-30 12:08| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.14 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-40912 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2464229 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:21772 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
< 2.11.43
Affected: >= 3.0.0-beta1, < 3.6.14 Affected: >= 3.7.0-ea.1, < 3.7.0-rc.2 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.28 |
cpe:/a:redhat:openshift_devspaces:3.28::el9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40912",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:53:15.470528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:54:06.078Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.28::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.28",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-30T20:38:21.969Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This authentication bypass vulnerability allows an unauthenticated attacker to access protected content. The flaw occurs when the StripPrefixRegex middleware is used with authentication mechanisms such as ForwardAuth, BasicAuth, or DigestAuth. By crafting a specific URL with dot-segments, an attacker can bypass authentication checks and gain unauthorized access to sensitive resources."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:53.742Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-40912"
},
{
"name": "RHBZ#2464229",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464229"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40912.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21772"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T21:01:06.544Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-30T20:38:21.969Z",
"value": "Made public."
}
],
"title": "github.com/traefik/traefik: Traefik: Authentication bypass via crafted URL dot-segments in StripPrefixRegex middleware",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.43"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik\u0027s StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret). ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:38:21.969Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-6jwx-7vp4-9847",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-6jwx-7vp4-9847"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.43"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.14"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"
}
],
"source": {
"advisory": "GHSA-6jwx-7vp4-9847",
"discovery": "UNKNOWN"
},
"title": "Traefik: StripPrefixRegex auth bypass via Path/RawPath desync"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40912",
"datePublished": "2026-04-30T20:38:21.969Z",
"dateReserved": "2026-04-15T16:37:22.768Z",
"dateUpdated": "2026-06-30T12:08:53.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39858 (GCVE-0-2026-39858)
Vulnerability from nvd – Published: 2026-04-30 20:26 – Updated: 2026-06-30 12:09| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.14 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-39858 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2464234 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:21772 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
< 2.11.43
Affected: >= 3.0.0-beta1, < 3.6.14 Affected: >= 3.7.0-ea.1, < 3.7.0-rc.2 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.28 |
cpe:/a:redhat:openshift_devspaces:3.28::el9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T16:57:57.062955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T16:58:14.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.28::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.28",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-30T20:26:26.300Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik. A remote attacker can exploit an authentication bypass vulnerability by injecting spoofed trust context through unsanitized alias headers. This is due to Traefik\u0027s forwarded-header sanitization logic not properly handling alias header names that use underscores instead of dashes. This allows an attacker to bypass authentication on protected routes without valid credentials."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-289",
"description": "Authentication Bypass by Alternate Name",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:00.290Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-39858"
},
{
"name": "RHBZ#2464234",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464234"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39858.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21772"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T21:01:23.755Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-30T20:26:26.300Z",
"value": "Made public."
}
],
"title": "traefik: Traefik: Authentication bypass via unsanitized alias headers",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.43"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik\u0027s ForwardAuth and snippet-based authentication middleware. Traefik\u0027s forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context \u2014 such as a trusted scheme or host \u2014 through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:26:26.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.43"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.14"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"
}
],
"source": {
"advisory": "GHSA-5m6w-wvh7-57vm",
"discovery": "UNKNOWN"
},
"title": "Traefik: Forwarded alias spoofing top pre-auth decision bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39858",
"datePublished": "2026-04-30T20:26:26.300Z",
"dateReserved": "2026-04-07T19:13:20.379Z",
"dateUpdated": "2026-06-30T12:09:00.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35051 (GCVE-0-2026-35051)
Vulnerability from nvd – Published: 2026-04-30 20:26 – Updated: 2026-06-30 12:09| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.14 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-35051 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2464235 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:21772 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
< 2.11.43
Affected: >= 3.0.0-beta1, < 3.6.14 Affected: >= 3.7.0-ea.1, < 3.7.0-rc.2 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.28 |
cpe:/a:redhat:openshift_devspaces:3.28::el9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T21:19:58.832533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T21:20:11.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.28::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.28",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-30T20:26:06.716Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This authentication bypass vulnerability exists in Traefik\u0027s ForwardAuth middleware when the `trustForwardHeader` setting is configured as `false` and Traefik is deployed behind a trusted upstream proxy. A remote attacker could exploit this to bypass authentication, potentially gaining unauthorized access to protected resources."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-501",
"description": "Trust Boundary Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:05.981Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-35051"
},
{
"name": "RHBZ#2464235",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464235"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35051.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21772"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T21:01:28.437Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-30T20:26:06.716Z",
"value": "Made public."
}
],
"title": "Traefik: github.com/traefik/traefik: Traefik: Authentication bypass in ForwardAuth middleware",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, ensure that the `trustForwardHeader` setting in Traefik\u0027s ForwardAuth middleware is not explicitly configured as `false` unless absolutely necessary. If Traefik is deployed behind a trusted upstream proxy, review the configuration to ensure that `trustForwardHeader` is either set to `true` or omitted, allowing Traefik to correctly process forwarded headers for authentication. If this configuration is modified, a restart or reload of the Traefik service may be required for the changes to take effect."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.43"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik\u0027s ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:26:06.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.43"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.14"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"
}
],
"source": {
"advisory": "GHSA-6384-m2mw-rf54",
"discovery": "UNKNOWN"
},
"title": "Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35051",
"datePublished": "2026-04-30T20:26:06.716Z",
"dateReserved": "2026-03-31T21:06:06.429Z",
"dateUpdated": "2026-06-30T12:09:05.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54762 (GCVE-0-2026-54762)
Vulnerability from cvelistv5 – Published: 2026-06-23 19:17 – Updated: 2026-06-24 12:41| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v3.7.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T12:40:27.663071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T12:41:44.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik\u0027s Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency \u2014 a missing, malformed, unreadable, or policy-denied Secret \u2014 rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-636",
"description": "CWE-636: Not Failing Securely (\u0027Failing Open\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:17:07.491Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-4mr2-fg2p-w63c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-4mr2-fg2p-w63c"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.5"
}
],
"source": {
"advisory": "GHSA-4mr2-fg2p-w63c",
"discovery": "UNKNOWN"
},
"title": "Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54762",
"datePublished": "2026-06-23T19:17:07.491Z",
"dateReserved": "2026-06-15T23:12:41.966Z",
"dateUpdated": "2026-06-24T12:41:44.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54761 (GCVE-0-2026-54761)
Vulnerability from cvelistv5 – Published: 2026-06-23 19:15 – Updated: 2026-06-25 12:45| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v3.6.21 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.7.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:45:14.367141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:45:24.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.21"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik\u0027s Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route\u0027s own namespace. As a result, an HTTPRoute created in a namespace that is not allow-listed can reference a cross-provider TraefikService such as api@internal, dashboard@internal or rest@internal by pointing backendRef.namespace at an allow-listed namespace covered by a Gateway API ReferenceGrant, exposing internal Traefik services on the data plane. Exploitation requires the ability to create an accepted HTTPRoute and a matching ReferenceGrant from an allow-listed namespace; it does not require any change to Traefik static configuration, RBAC, or the deployment itself. This vulnerability is fixed in 3.6.21 and 3.7.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:15:38.410Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-3g6v-2r68-prfc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-3g6v-2r68-prfc"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.21"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.5"
}
],
"source": {
"advisory": "GHSA-3g6v-2r68-prfc",
"discovery": "UNKNOWN"
},
"title": "Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54761",
"datePublished": "2026-06-23T19:15:38.410Z",
"dateReserved": "2026-06-15T23:12:41.966Z",
"dateUpdated": "2026-06-25T12:45:24.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53622 (GCVE-0-2026-53622)
Vulnerability from cvelistv5 – Published: 2026-06-23 19:13 – Updated: 2026-06-30 12:09| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v3.7.3 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-53622 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491924 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
< 3.7.3
|
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:44:08.806237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:44:19.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-23T19:13:28.844Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This critical vulnerability in Traefik\u0027s HTTP/3 (QUIC) TLS configuration selection allows unauthenticated clients to bypass router-specific mutual Transport Layer Security (mTLS) enforcement. When HTTP/3 is enabled and a router uses wildcard host rules or case-insensitive hostname matching with client certificate authentication, an attacker can complete the QUIC handshake without presenting a certificate. This bypass grants unauthorized access to a backend that should be protected by mTLS."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-289",
"description": "Authentication Bypass by Alternate Name",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:27.550Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-53622"
},
{
"name": "RHBZ#2491924",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491924"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53622.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T20:01:29.612Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-23T19:13:28.844Z",
"value": "Made public."
}
],
"title": "github.com/traefik/traefik: Traefik: mTLS enforcement bypass due to HTTP/3 TLS configuration flaw",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, disable HTTP/3 (QUIC) on Traefik entrypoints. This prevents the TLS configuration selection flaw that leads to mTLS bypass. Consult Traefik documentation for specific configuration steps to disable HTTP/3. Restarting the Traefik service will be required for the changes to take effect."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 3.7.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik\u0027s HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI value, which fails to match wildcard host patterns (e.g., *.example.com) or case variants of the configured hostname. Because the handshake falls back to the default TLS configuration \u2014 which may not require client certificates \u2014 a client can complete the QUIC handshake without presenting a certificate, while the subsequent HTTP routing layer still dispatches the request to a backend protected by a router-specific mTLS policy. The issue affects deployments where HTTP/3 is enabled, a router uses a wildcard Host rule or case-insensitive hostname matching, a router-specific TLSOptions enforces client certificate authentication, and UDP access to the entrypoint is reachable by an attacker. This vulnerability is fixed in 3.7.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:13:28.844Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-9cr8-q42q-g8m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-9cr8-q42q-g8m7"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
}
],
"source": {
"advisory": "GHSA-9cr8-q42q-g8m7",
"discovery": "UNKNOWN"
},
"title": "Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53622",
"datePublished": "2026-06-23T19:13:28.844Z",
"dateReserved": "2026-06-09T20:16:59.646Z",
"dateUpdated": "2026-06-30T12:09:27.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48491 (GCVE-0-2026-48491)
Vulnerability from cvelistv5 – Published: 2026-06-23 19:12 – Updated: 2026-06-30 12:09| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v3.7.3 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-48491 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491923 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
>= 3.7.0, < 3.7.3
|
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48491",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T14:31:36.691139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:31:59.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-23T19:12:10.819Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability allows an unauthenticated client to bypass mutual Transport Layer Security (TLS) enforcement, a security measure that verifies both client and server identities. The bypass occurs due to an issue in Traefik\u0027s domain-fronting protection (SNICheck), which incorrectly processes TLS options for HTTP Host headers. As a result, an attacker can gain unauthorized access to protected backend services without presenting a required client certificate."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:58.744Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-48491"
},
{
"name": "RHBZ#2491923",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491923"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48491.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T20:01:26.461Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-23T19:12:10.819Z",
"value": "Made public."
}
],
"title": "Traefik: Traefik: Unauthorized access due to mutual TLS bypass",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, avoid configuring Traefik with wildcard host rules (e.g., Host(*.example.com)) alongside strict TLS options such as RequireAndVerifyClientCert on entrypoints that also serve permissive SNI configurations. Alternatively, restrict network access to Traefik\u0027s entrypoints to trusted networks only, thereby limiting potential exposure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik\u0027s domain-fronting protection (SNICheck) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host(*.example.com) with stricter TLS options (for example RequireAndVerifyClientCert), SNICheck resolves the TLS options for the HTTP Host header using exact map lookups only and never applies wildcard matching. If another permissive SNI is served on the same entrypoint, an attacker can complete the TLS handshake under the permissive options and then send an HTTP Host header targeting the wildcard-protected backend, reaching it without presenting a client certificate. This affects the regular HTTPS / HTTP-2 path and does not require HTTP/3. This vulnerability is fixed in 3.7.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:12:10.819Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
}
],
"source": {
"advisory": "GHSA-5r4w-85f3-pw66",
"discovery": "UNKNOWN"
},
"title": "Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48491",
"datePublished": "2026-06-23T19:12:10.819Z",
"dateReserved": "2026-05-21T15:33:08.291Z",
"dateUpdated": "2026-06-30T12:09:58.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48020 (GCVE-0-2026-48020)
Vulnerability from cvelistv5 – Published: 2026-06-23 19:10 – Updated: 2026-06-30 12:09| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.19 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.7.3 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-48020 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491915 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
>= 3.7.0-ea.1, < 3.7.3
Affected: >= 3.0.0-beta1, < 3.6.19 Affected: < 2.11.48 |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T13:37:15.853351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T13:37:28.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-23T19:10:31.557Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability exists in the StripPrefix middleware, allowing an unauthenticated attacker to bypass route-level authentication and authorization. By crafting a request path containing \u0027..\u0027 or its percent-encoded form, an attacker can access protected backend paths, such as administrative or internal configuration endpoints, without proper authentication. This could lead to unauthorized information disclosure or modification of sensitive settings."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:59.927Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-48020"
},
{
"name": "RHBZ#2491915",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491915"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48020.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T20:00:57.714Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-23T19:10:31.557Z",
"value": "Made public."
}
],
"title": "github.com/traefik/traefik: Traefik: Authentication bypass in StripPrefix middleware allows unauthorized access to protected paths",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.3"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.19"
},
{
"status": "affected",
"version": "\u003c 2.11.48"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik\u0027s StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths \u2014 such as admin or internal configuration endpoints \u2014 without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:10:31.557Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.48"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.19",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.19"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
}
],
"source": {
"advisory": "GHSA-xf64-8mw2-4gr2",
"discovery": "UNKNOWN"
},
"title": "Traefik StripPrefix Route-Level Auth Bypass via Path Normalization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48020",
"datePublished": "2026-06-23T19:10:31.557Z",
"dateReserved": "2026-05-20T17:44:09.587Z",
"dateUpdated": "2026-06-30T12:09:59.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54365 (GCVE-0-2023-54365)
Vulnerability from cvelistv5 – Published: 2026-06-23 12:12 – Updated: 2026-06-30 12:07| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | vendor-advisory |
| https://www.vulncheck.com/advisories/traefik-deni… | third-party-advisory |
| https://access.redhat.com/security/cve/CVE-2023-54365 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491710 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| Traefik | Traefik |
Affected:
0 , < 2.10.5
(semver)
Unaffected: 2.10.5 (semver) |
|
| Traefik | Traefik |
Affected:
3.0.0-beta1 , < 3.0.0-beta4
(semver)
Unaffected: 3.0.0-beta4 (semver) |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-54365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T18:13:32.219989Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T18:13:51.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-23T12:12:51.853Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik\u0027s HTTP/2 request handling. A remote attacker can exploit this vulnerability by rapidly creating and canceling HTTP/2 streams. This can exhaust server resources, leading to a denial of service (DoS) and making the service unavailable to legitimate users. This issue is inherited from the Go standard library\u0027s HTTP/2 implementation, known as the \u0027Rapid Reset\u0027 technique."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:27.277Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-54365"
},
{
"name": "RHBZ#2491710",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491710"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2023/cve-2023-54365.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T13:01:50.400Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-23T12:12:51.853Z",
"value": "Made public."
}
],
"title": "github.com/traefik/traefik: net/http2: Traefik: Denial of Service via HTTP/2 Rapid Reset technique",
"workarounds": [
{
"lang": "en",
"value": "The recommended mitigation is to upgrade Traefik to a version that includes the patched HTTP/2 dependency."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/github.com/traefik/traefik",
"product": "Traefik",
"vendor": "Traefik",
"versions": [
{
"lessThan": "2.10.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.10.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/github.com/traefik/traefik",
"product": "Traefik",
"vendor": "Traefik",
"versions": [
{
"lessThan": "3.0.0-beta4",
"status": "affected",
"version": "3.0.0-beta1",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.0.0-beta4",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:traefik:traefik_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.21.3, 1.20.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:traefik:traefik_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.10.5, v3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-10-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library\u0027s HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the \u0027Rapid Reset\u0027 technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:12:51.853Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-7v4p-328v-8v5g)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-7v4p-328v-8v5g"
},
{
"name": "VulnCheck Advisory: Traefik - Denial of Service via HTTP/2 Request Handling",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/traefik-denial-of-service-via-http-2-request-handling"
}
],
"title": "Traefik - Denial of Service via HTTP/2 Request Handling",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-54365",
"datePublished": "2026-06-23T12:12:51.853Z",
"dateReserved": "2026-06-22T21:54:30.246Z",
"dateUpdated": "2026-06-30T12:07:27.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44774 (GCVE-0-2026-44774)
Vulnerability from cvelistv5 – Published: 2026-05-15 16:30 – Updated: 2026-06-30 12:10| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.17 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.7.1 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-44774 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477937 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
< 2.11.46
Affected: >= 3.0.0-beta1, < 3.6.17 Affected: >= 3.7.0-rc.0, < 3.7.1 |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
|
| Red Hat | Red Hat OpenShift GitOps |
cpe:/a:redhat:openshift_gitops:1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T01:12:38.060089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T01:12:49.947Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-15T16:30:43.265Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik. A low-privileged tenant with HTTPRoute creation permissions in Traefik\u0027s Kubernetes Gateway API provider can bypass security settings. This allows the tenant to expose the REST provider handler and gain live dynamic configuration write access to Traefik. This vulnerability enables unauthorized reconfiguration of routers and services, potentially leading to privilege escalation within the system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-15",
"description": "External Control of System or Configuration Setting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:24.075Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-44774"
},
{
"name": "RHBZ#2477937",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477937"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44774.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T17:01:12.579Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-15T16:30:43.265Z",
"value": "Made public."
}
],
"title": "traefik: Traefik: Privilege escalation via Kubernetes Gateway API provider configuration bypass",
"workarounds": [
{
"lang": "en",
"value": "Upgrade Traefik to version 2.11.46 or later (2.x line), 3.6.17 or later (3.6.x line), or 3.7.1 or later (3.7.x line) by installing updated Red Hat OpenShift Dev Spaces releases that ship a fixed traefik-rhel9 container image.\n\nUntil updated images are available, limit which principals can create HTTPRoute resources in namespaces where Traefik runs with the Kubernetes Gateway API provider. Disable or tightly restrict the Traefik REST dynamic configuration provider in shared Gateway deployments, and block untrusted use of TraefikService backends that reference @internal handlers."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.46"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.17"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-rc.0, \u003c 3.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik\u0027s Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T16:30:43.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.46",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.46"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.17"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.1"
}
],
"source": {
"advisory": "GHSA-96qj-4jj5-wcjc",
"discovery": "UNKNOWN"
},
"title": "Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44774",
"datePublished": "2026-05-15T16:30:43.265Z",
"dateReserved": "2026-05-07T19:20:44.688Z",
"dateUpdated": "2026-06-30T12:10:24.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41181 (GCVE-0-2026-41181)
Vulnerability from cvelistv5 – Published: 2026-05-15 16:27 – Updated: 2026-05-16 01:11- CWE-201 - Insertion of Sensitive Information Into Sent Data
| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.15 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41181",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T01:10:51.338125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T01:11:03.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0-rc.0, \u003c 3.7.0-rc.3"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
},
{
"status": "affected",
"version": "\u003c 2.11.43"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik\u0027s errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request\u0027s complete header set, including Authorization, Cookie, and other authentication material, to the separate error page service rather than only the minimal context needed to render the error page. This behavior is undocumented: the documentation states only that Host is forwarded by default, so operators are not warned that sensitive credentials are shared across service boundaries. Deployments using the errors middleware with a distinct error page service may inadvertently expose end-user credentials to infrastructure that was not intended to receive them. This vulnerability is fixed in 2.11.44, 3.6.15, and 3.7.0-rc.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T16:27:14.823Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.44",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.44"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.15"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.3"
}
],
"source": {
"advisory": "GHSA-p6hg-qh38-555r",
"discovery": "UNKNOWN"
},
"title": "Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41181",
"datePublished": "2026-05-15T16:27:14.823Z",
"dateReserved": "2026-04-17T16:34:45.526Z",
"dateUpdated": "2026-05-16T01:11:03.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41263 (GCVE-0-2026-41263)
Vulnerability from cvelistv5 – Published: 2026-04-30 20:39 – Updated: 2026-05-01 14:22- CWE-208 - Observable Timing Discrepancy
| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.14 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:22:30.689474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:22:40.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.43"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik\u0027s BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:39:49.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-6x2q-h3cr-8j2h"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.43"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.14"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"
}
],
"source": {
"advisory": "GHSA-6x2q-h3cr-8j2h",
"discovery": "UNKNOWN"
},
"title": "Traefik: BasicAuth middleware: timing side-channel vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41263",
"datePublished": "2026-04-30T20:39:49.658Z",
"dateReserved": "2026-04-18T14:01:46.801Z",
"dateUpdated": "2026-05-01T14:22:40.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40912 (GCVE-0-2026-40912)
Vulnerability from cvelistv5 – Published: 2026-04-30 20:38 – Updated: 2026-06-30 12:08| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.14 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-40912 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2464229 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:21772 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
< 2.11.43
Affected: >= 3.0.0-beta1, < 3.6.14 Affected: >= 3.7.0-ea.1, < 3.7.0-rc.2 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.28 |
cpe:/a:redhat:openshift_devspaces:3.28::el9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40912",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:53:15.470528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:54:06.078Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.28::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.28",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-30T20:38:21.969Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This authentication bypass vulnerability allows an unauthenticated attacker to access protected content. The flaw occurs when the StripPrefixRegex middleware is used with authentication mechanisms such as ForwardAuth, BasicAuth, or DigestAuth. By crafting a specific URL with dot-segments, an attacker can bypass authentication checks and gain unauthorized access to sensitive resources."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:53.742Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-40912"
},
{
"name": "RHBZ#2464229",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464229"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40912.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21772"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T21:01:06.544Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-30T20:38:21.969Z",
"value": "Made public."
}
],
"title": "github.com/traefik/traefik: Traefik: Authentication bypass via crafted URL dot-segments in StripPrefixRegex middleware",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.43"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik\u0027s StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret). ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:38:21.969Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-6jwx-7vp4-9847",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-6jwx-7vp4-9847"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.43"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.14"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"
}
],
"source": {
"advisory": "GHSA-6jwx-7vp4-9847",
"discovery": "UNKNOWN"
},
"title": "Traefik: StripPrefixRegex auth bypass via Path/RawPath desync"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40912",
"datePublished": "2026-04-30T20:38:21.969Z",
"dateReserved": "2026-04-15T16:37:22.768Z",
"dateUpdated": "2026-06-30T12:08:53.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39858 (GCVE-0-2026-39858)
Vulnerability from cvelistv5 – Published: 2026-04-30 20:26 – Updated: 2026-06-30 12:09| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.14 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-39858 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2464234 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:21772 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
< 2.11.43
Affected: >= 3.0.0-beta1, < 3.6.14 Affected: >= 3.7.0-ea.1, < 3.7.0-rc.2 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.28 |
cpe:/a:redhat:openshift_devspaces:3.28::el9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T16:57:57.062955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T16:58:14.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.28::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.28",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-30T20:26:26.300Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik. A remote attacker can exploit an authentication bypass vulnerability by injecting spoofed trust context through unsanitized alias headers. This is due to Traefik\u0027s forwarded-header sanitization logic not properly handling alias header names that use underscores instead of dashes. This allows an attacker to bypass authentication on protected routes without valid credentials."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-289",
"description": "Authentication Bypass by Alternate Name",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:00.290Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-39858"
},
{
"name": "RHBZ#2464234",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464234"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39858.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21772"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T21:01:23.755Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-30T20:26:26.300Z",
"value": "Made public."
}
],
"title": "traefik: Traefik: Authentication bypass via unsanitized alias headers",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.43"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik\u0027s ForwardAuth and snippet-based authentication middleware. Traefik\u0027s forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context \u2014 such as a trusted scheme or host \u2014 through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:26:26.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.43"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.14"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"
}
],
"source": {
"advisory": "GHSA-5m6w-wvh7-57vm",
"discovery": "UNKNOWN"
},
"title": "Traefik: Forwarded alias spoofing top pre-auth decision bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39858",
"datePublished": "2026-04-30T20:26:26.300Z",
"dateReserved": "2026-04-07T19:13:20.379Z",
"dateUpdated": "2026-06-30T12:09:00.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35051 (GCVE-0-2026-35051)
Vulnerability from cvelistv5 – Published: 2026-04-30 20:26 – Updated: 2026-06-30 12:09| URL | Tags |
|---|---|
| https://github.com/traefik/traefik/security/advis… | x_refsource_CONFIRM |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.6.14 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-35051 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2464235 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:21772 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| traefik | traefik |
Affected:
< 2.11.43
Affected: >= 3.0.0-beta1, < 3.6.14 Affected: >= 3.7.0-ea.1, < 3.7.0-rc.2 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.28 |
cpe:/a:redhat:openshift_devspaces:3.28::el9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T21:19:58.832533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T21:20:11.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.28::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.28",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-30T20:26:06.716Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This authentication bypass vulnerability exists in Traefik\u0027s ForwardAuth middleware when the `trustForwardHeader` setting is configured as `false` and Traefik is deployed behind a trusted upstream proxy. A remote attacker could exploit this to bypass authentication, potentially gaining unauthorized access to protected resources."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-501",
"description": "Trust Boundary Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:05.981Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-35051"
},
{
"name": "RHBZ#2464235",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464235"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35051.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21772"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T21:01:28.437Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-30T20:26:06.716Z",
"value": "Made public."
}
],
"title": "Traefik: github.com/traefik/traefik: Traefik: Authentication bypass in ForwardAuth middleware",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, ensure that the `trustForwardHeader` setting in Traefik\u0027s ForwardAuth middleware is not explicitly configured as `false` unless absolutely necessary. If Traefik is deployed behind a trusted upstream proxy, review the configuration to ensure that `trustForwardHeader` is either set to `true` or omitted, allowing Traefik to correctly process forwarded headers for authentication. If this configuration is modified, a restart or reload of the Traefik service may be required for the changes to take effect."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "traefik",
"vendor": "traefik",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.43"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-beta1, \u003c 3.6.14"
},
{
"status": "affected",
"version": "\u003e= 3.7.0-ea.1, \u003c 3.7.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik\u0027s ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:26:06.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v2.11.43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.43"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.6.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.14"
},
{
"name": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"
}
],
"source": {
"advisory": "GHSA-6384-m2mw-rf54",
"discovery": "UNKNOWN"
},
"title": "Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35051",
"datePublished": "2026-04-30T20:26:06.716Z",
"dateReserved": "2026-03-31T21:06:06.429Z",
"dateUpdated": "2026-06-30T12:09:05.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CERTFR-2026-AVI-0785
Vulnerability from certfr_avis - Published: 2026-06-19 - Updated: 2026-06-19
Une vulnérabilité a été découverte dans Traefik. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Traefik versions 3.7.x ant\u00e9rieures \u00e0 3.7.5",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-54762",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-54762"
}
],
"initial_release_date": "2026-06-19T00:00:00",
"last_revision_date": "2026-06-19T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0785",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Traefik. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Vuln\u00e9rabilit\u00e9 dans Traefik",
"vendor_advisories": [
{
"published_at": "2026-06-19",
"title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-4mr2-fg2p-w63c",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-4mr2-fg2p-w63c"
}
]
}
CERTFR-2026-AVI-0738
Vulnerability from certfr_avis - Published: 2026-06-11 - Updated: 2026-06-11
Une vulnérabilité a été découverte dans Traefik. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Traefik versions v3.6.20 ant\u00e9rieures \u00e0 v3.6.21",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
},
{
"description": "Traefik versions v3.7.4 ant\u00e9rieures \u00e0 v3.7.5",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2026-06-11T00:00:00",
"last_revision_date": "2026-06-11T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0738",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Traefik. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Vuln\u00e9rabilit\u00e9 dans Traefik",
"vendor_advisories": [
{
"published_at": "2026-06-11",
"title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-3g6v-2r68-prfc",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-3g6v-2r68-prfc"
}
]
}
CERTFR-2026-AVI-0690
Vulnerability from certfr_avis - Published: 2026-06-05 - Updated: 2026-06-05
De multiples vulnérabilités ont été découvertes dans Traefik. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Traefik versions v3.6.x ant\u00e9rieures \u00e0 v3.6.19",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
},
{
"description": "Traefik versions v2.11.x ant\u00e9rieures \u00e0 v2.11.48",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
},
{
"description": "Traefik versions v3.7.x ant\u00e9rieures \u00e0 v3.7.3",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-48491",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48491"
},
{
"name": "CVE-2026-48020",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48020"
}
],
"initial_release_date": "2026-06-05T00:00:00",
"last_revision_date": "2026-06-05T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0690",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-05T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Traefik. Elles permettent \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Traefik",
"vendor_advisories": [
{
"published_at": "2026-06-05",
"title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-5r4w-85f3-pw66",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-5r4w-85f3-pw66"
},
{
"published_at": "2026-06-05",
"title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-9cr8-q42q-g8m7",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-9cr8-q42q-g8m7"
},
{
"published_at": "2026-06-05",
"title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-xf64-8mw2-4gr2",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2"
}
]
}
CERTFR-2026-AVI-0561
Vulnerability from certfr_avis - Published: 2026-05-12 - Updated: 2026-05-12
Une vulnérabilité a été découverte dans Traefik. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Traefik versions v3.7.x ant\u00e9rieures \u00e0 v3.7.1",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
},
{
"description": "Traefik versions v3.6.x ant\u00e9rieures \u00e0 v3.6.17",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
},
{
"description": "Traefik versions ant\u00e9rieures \u00e0 v2.11.46",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-44774",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44774"
}
],
"initial_release_date": "2026-05-12T00:00:00",
"last_revision_date": "2026-05-12T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0561",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-12T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Traefik. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Vuln\u00e9rabilit\u00e9 dans Traefik",
"vendor_advisories": [
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-96qj-4jj5-wcjc",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc"
}
]
}
CERTFR-2026-AVI-0531
Vulnerability from certfr_avis - Published: 2026-05-05 - Updated: 2026-05-05
Une vulnérabilité a été découverte dans Traefik. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Traefik versions v2.11.x ant\u00e9rieures \u00e0 v2.11.44",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
},
{
"description": "Traefik versions v3.6.x ant\u00e9rieures \u00e0 v3.6.15",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
},
{
"description": "Traefik versions v3.7.0-rc.x ant\u00e9rieures \u00e0 v3.7.0-rc.3\n",
"product": {
"name": "Traefik",
"vendor": {
"name": "Traefik",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-41181",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41181"
}
],
"initial_release_date": "2026-05-05T00:00:00",
"last_revision_date": "2026-05-05T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0531",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-05T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Traefik. Elle permet \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Vuln\u00e9rabilit\u00e9 dans Traefik",
"vendor_advisories": [
{
"published_at": "2026-05-04",
"title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-p6hg-qh38-555r",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r"
}
]
}