Vulnerability-Lookup

CVE-2026-44774 (GCVE-0-2026-44774)

Vulnerability from cvelistv5 – Published: 2026-05-15 16:30 – Updated: 2026-05-16 01:12

Title

Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false

Summary

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1.

Severity

6.4 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H

CWE

CWE-284 - Improper Access Control

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/traefik/traefik/security/advis…	x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v…	x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.17	x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.7.1	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
traefik	traefik	Affected: < 2.11.46 Affected: >= 3.0.0-beta1, < 3.6.17 Affected: >= 3.7.0-rc.0, < 3.7.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44774",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-16T01:12:38.060089Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-16T01:12:49.947Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "traefik",
          "vendor": "traefik",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.11.46"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0-beta1, \u003c 3.6.17"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.7.0-rc.0, \u003c 3.7.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik\u0027s Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T16:30:43.265Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v2.11.46",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v2.11.46"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.6.17",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.6.17"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.7.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.7.1"
        }
      ],
      "source": {
        "advisory": "GHSA-96qj-4jj5-wcjc",
        "discovery": "UNKNOWN"
      },
      "title": "Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44774",
    "datePublished": "2026-05-15T16:30:43.265Z",
    "dateReserved": "2026-05-07T19:20:44.688Z",
    "dateUpdated": "2026-05-16T01:12:49.947Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44774",
      "date": "2026-05-26",
      "epss": "0.00016",
      "percentile": "0.03866"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44774\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T17:16:48.210\",\"lastModified\":\"2026-05-19T12:22:39.077\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik\u0027s Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.11.46\",\"matchCriteriaId\":\"2FBDBA4B-9AFC-4B78-9847-01614C64A2D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.6.17\",\"matchCriteriaId\":\"3C7FED20-2311-46D0-B184-2B9EC98C66BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.7.0\",\"versionEndExcluding\":\"3.7.1\",\"matchCriteriaId\":\"D7C792C4-828F-413A-8BC9-A8AF1EBAFCC3\"}]}]}],\"references\":[{\"url\":\"https://github.com/traefik/traefik/releases/tag/v2.11.46\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.6.17\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.7.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44774\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-16T01:12:38.060089Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-16T01:12:43.609Z\"}}], \"cna\": {\"title\": \"Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false\", \"source\": {\"advisory\": \"GHSA-96qj-4jj5-wcjc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"traefik\", \"product\": \"traefik\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.11.46\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0-beta1, \u003c 3.6.17\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.7.0-rc.0, \u003c 3.7.1\"}]}], \"references\": [{\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc\", \"name\": \"https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v2.11.46\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v2.11.46\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.6.17\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.6.17\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.7.1\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.7.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik\u0027s Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T16:30:43.265Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44774\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-16T01:12:49.947Z\", \"dateReserved\": \"2026-05-07T19:20:44.688Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T16:30:43.265Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0561

Vulnerability from certfr_avis - Published: 2026-05-12 - Updated: 2026-05-12

Une vulnérabilité a été découverte dans Traefik. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Traefik	Traefik	Traefik versions v3.7.x antérieures à v3.7.1
Traefik	Traefik	Traefik versions v3.6.x antérieures à v3.6.17
Traefik	Traefik	Traefik versions antérieures à v2.11.46

References

Title

Publication Time

FKIE_CVE-2026-44774

Vulnerability from fkie_nvd - Published: 2026-05-15 17:16 - Updated: 2026-05-19 12:22

Severity

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v2.11.46	Product, Release Notes
security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.6.17	Product, Release Notes
security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.7.1	Product, Release Notes
security-advisories@github.com	https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc	Exploit, Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
traefik	traefik	*
traefik	traefik	*
traefik	traefik	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2FBDBA4B-9AFC-4B78-9847-01614C64A2D7",
              "versionEndExcluding": "2.11.46",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C7FED20-2311-46D0-B184-2B9EC98C66BA",
              "versionEndExcluding": "3.6.17",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7C792C4-828F-413A-8BC9-A8AF1EBAFCC3",
              "versionEndExcluding": "3.7.1",
              "versionStartIncluding": "3.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik\u0027s Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1."
    }
  ],
  "id": "CVE-2026-44774",
  "lastModified": "2026-05-19T12:22:39.077",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T17:16:48.210",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.46"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.17"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-96QJ-4JJ5-WCJC

Vulnerability from github – Published: 2026-05-13 15:29 – Updated: 2026-05-15 23:50

Summary

Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false

Details

Summary

There is a medium severity vulnerability in Traefik's Kubernetes Gateway API provider that allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.46
https://github.com/traefik/traefik/releases/tag/v3.6.17
https://github.com/traefik/traefik/releases/tag/v3.7.1

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary When the Kubernetes Gateway API provider is enabled, Traefik accepts any `TraefikService` backend whose name ends with `@internal`. This allows a tenant-controlled `HTTPRoute` to publish `rest@internal`. If `providers.rest` is enabled, this exposes Traefik's REST provider handler even when `providers.rest.insecure=false`, even though providers.rest.insecure=false is meant to keep the REST handler from being exposed by Traefik's built-in internal router. In a shared Gateway deployment, an actor with permission to create or update `HTTPRoute` resources in an allowed namespace can gain live Traefik dynamic-configuration write access through `PUT /api/providers/rest`. ### Details The Gateway provider treats internal services broadly rather than allowing only a specific internal target. In current `master`, `pkg/provider/kubernetes/gateway/kubernetes.go` defines `isInternalService(...)` as any `TraefikService` reference whose name ends with `@internal`. Then `pkg/provider/kubernetes/gateway/httproute.go` special-cases a single backend reference that matches `isInternalService(...)` and directly assigns `router.Service = string(routeRule.BackendRefs[0].Name)`. This means a tenant route can target not only `api@internal`, but also `rest@internal` and other internal handlers. Separately, the REST provider handler is created whenever the REST provider is enabled. In `pkg/server/service/managerfactory.go`, if `staticConfiguration.Providers.Rest != nil`, Traefik sets `factory.restHandler = staticConfiguration.Providers.Rest.CreateRouter()`. The REST provider handler itself is implemented in `pkg/provider/rest/rest.go` and accepts `PUT /api/providers/{provider}`. The `providers.rest.insecure` flag does not disable the underlying handler. In `pkg/provider/traefik/internal.go`, that flag only controls whether Traefik creates its own built-in internal router for `rest@internal`. Even when `providers.rest.insecure=false`, Traefik still registers the `rest` service object, and the service layer can still resolve `rest@internal` if another provider routes to it. I validated this locally in two tests: 1. the Gateway route-building path accepts `rest@internal` as an internal backend through the same special-case branch used for `api@internal` 2. the service layer builds and serves `rest@internal` successfully when `providers.rest` is enabled and `providers.rest.insecure=false` The vulnerable code path is present in: - `v3.0.0` - `v3.6.7` - `v2.11.0` - `v2.11.36` - current `master` at `786f7192e11878dfaa634f8263bf79bb730a71cb` I verified the issue in v3.0.0, v3.6.7, v2.11.0, v2.11.36, and current master; the reported affected ranges reflect the maintained release lines checked during validation I did not find a public Traefik advisory or CVE for this exact issue. The closest public overlap I found is the documented/tested Gateway support for `api@internal`, but the issue here is broader because the Gateway code accepts any `@internal` `TraefikService`, including the write-capable `rest@internal` handler. ### Expected behavior `providers.rest.insecure=false` should prevent low-privileged route authors from exposing the REST provider handler. ### Actual behavior A tenant-controlled Gateway route can still publish `rest@internal` and reach the REST update API. ### Attacker prerequisites - The Kubernetes Gateway API provider is enabled. - `providers.rest=true`. - `providers.rest.insecure=false`. - A shared Gateway allows tenant namespaces to attach `HTTPRoute` resources. - The attacker can create or update `HTTPRoute` resources in an allowed tenant namespace. ### PoC 1. Configure Traefik so that the Kubernetes Gateway provider is enabled, the REST provider is enabled, and the REST provider is not exposed insecurely. Example static configuration:

providers:
  kubernetesGateway: {}
  rest:
    insecure: false

2. Ensure a shared Gateway allows tenant `HTTPRoute` attachment. 3. In an allowed tenant namespace, create an `HTTPRoute` whose backend points to `rest@internal`:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: expose-rest-internal
  namespace: tenant-a
spec:
  parentRefs:
    - name: shared-gateway
      namespace: infra
  hostnames:
    - rest.tenant.example
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - group: traefik.io
          kind: TraefikService
          name: rest@internal
          port: 80

4. Send a `PUT` request through that published route to `/api/providers/rest` with a valid dynamic configuration body. A harmless proof can add a dummy router pointing to `noop@internal`. Example request body:

{
  "http": {
    "routers": {
      "probe": {
        "rule": "PathPrefix(`/probe`)",
        "service": "noop@internal",
        "ruleSyntax": "default"
      }
    }
  }
}

5. Observe that Traefik accepts the update and applies the supplied dynamic configuration, even though `providers.rest.insecure=false`. ### Impact This is an authorization / trust-boundary bypass affecting shared Gateway deployments. On affected deployments, an actor who should only be able to create or update `HTTPRoute` objects can escalate to live Traefik dynamic-configuration write access. That can allow unauthorized reconfiguration of routers and services, publication of additional internal surfaces, request interception or rerouting, and denial of service through destructive config changes. On affected deployments, this gives a low-privileged Gateway route author live Traefik dynamic-configuration write access. This is critical for affected shared Gateway deployments because it can give a low-privileged route author live Traefik dynamic-configuration write access, but it depends on providers.rest being enabled. This is not an unauthenticated vulnerability in all Traefik deployments. The issue depends on realistic but specific conditions: - `providers.rest` must be enabled - the attacker must be allowed to attach `HTTPRoute` resources to a shared Gateway

Severity

6.4 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "3.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.7.0"
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.16"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.45"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.46"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T15:29:56Z",
    "nvd_published_at": "2026-05-15T17:16:48Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThere is a medium severity vulnerability in Traefik\u0027s Kubernetes Gateway API provider that allows a tenant with `HTTPRoute` creation permissions to expose the REST provider handler, bypassing the `providers.rest.insecure=false` setting. The Gateway provider accepts any `TraefikService` backend reference whose name ends with `@internal`, making it possible to route traffic to `rest@internal` in addition to the intended `api@internal`. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.46\n- https://github.com/traefik/traefik/releases/tag/v3.6.17\n- https://github.com/traefik/traefik/releases/tag/v3.7.1\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\nWhen the Kubernetes Gateway API provider is enabled, Traefik accepts any `TraefikService` backend whose name ends with `@internal`. This allows a tenant-controlled `HTTPRoute` to publish `rest@internal`.\n\nIf `providers.rest` is enabled, this exposes Traefik\u0027s REST provider handler even when `providers.rest.insecure=false`, even though providers.rest.insecure=false is meant to keep the REST handler from being exposed by Traefik\u0027s built-in internal router. In a shared Gateway deployment, an actor with permission to create or update `HTTPRoute` resources in an allowed namespace can gain live Traefik dynamic-configuration write access through `PUT /api/providers/rest`.\n\n### Details\nThe Gateway provider treats internal services broadly rather than allowing only a specific internal target.\n\nIn current `master`, `pkg/provider/kubernetes/gateway/kubernetes.go` defines `isInternalService(...)` as any `TraefikService` reference whose name ends with `@internal`.\n\nThen `pkg/provider/kubernetes/gateway/httproute.go` special-cases a single backend reference that matches `isInternalService(...)` and directly assigns `router.Service = string(routeRule.BackendRefs[0].Name)`.\n\nThis means a tenant route can target not only `api@internal`, but also `rest@internal` and other internal handlers.\n\nSeparately, the REST provider handler is created whenever the REST provider is enabled. In `pkg/server/service/managerfactory.go`, if `staticConfiguration.Providers.Rest != nil`, Traefik sets `factory.restHandler = staticConfiguration.Providers.Rest.CreateRouter()`.\n\nThe REST provider handler itself is implemented in `pkg/provider/rest/rest.go` and accepts `PUT /api/providers/{provider}`.\n\nThe `providers.rest.insecure` flag does not disable the underlying handler. In `pkg/provider/traefik/internal.go`, that flag only controls whether Traefik creates its own built-in internal router for `rest@internal`. Even when `providers.rest.insecure=false`, Traefik still registers the `rest` service object, and the service layer can still resolve `rest@internal` if another provider routes to it.\n\nI validated this locally in two tests:\n1. the Gateway route-building path accepts `rest@internal` as an internal backend through the same special-case branch used for `api@internal`\n2. the service layer builds and serves `rest@internal` successfully when `providers.rest` is enabled and `providers.rest.insecure=false`\n\nThe vulnerable code path is present in:\n- `v3.0.0`\n- `v3.6.7`\n- `v2.11.0`\n- `v2.11.36`\n- current `master` at `786f7192e11878dfaa634f8263bf79bb730a71cb`\n\nI verified the issue in v3.0.0, v3.6.7, v2.11.0, v2.11.36, and current master; the reported affected ranges reflect the maintained release lines checked during validation\n\nI did not find a public Traefik advisory or CVE for this exact issue. The closest public overlap I found is the documented/tested Gateway support for `api@internal`, but the issue here is broader because the Gateway code accepts any `@internal` `TraefikService`, including the write-capable `rest@internal` handler.\n\n### Expected behavior\n`providers.rest.insecure=false` should prevent low-privileged route authors from exposing the REST provider handler.\n\n### Actual behavior\nA tenant-controlled Gateway route can still publish `rest@internal` and reach the REST update API.\n\n### Attacker prerequisites\n- The Kubernetes Gateway API provider is enabled.\n- `providers.rest=true`.\n- `providers.rest.insecure=false`.\n- A shared Gateway allows tenant namespaces to attach `HTTPRoute` resources.\n- The attacker can create or update `HTTPRoute` resources in an allowed tenant namespace.\n\n### PoC\n1. Configure Traefik so that the Kubernetes Gateway provider is enabled, the REST provider is enabled, and the REST provider is not exposed insecurely.\n\nExample static configuration:\n\n```yaml\nproviders:\n  kubernetesGateway: {}\n  rest:\n    insecure: false\n```\n\n2. Ensure a shared Gateway allows tenant `HTTPRoute` attachment.\n\n3. In an allowed tenant namespace, create an `HTTPRoute` whose backend points to `rest@internal`:\n\n```yaml\napiVersion: gateway.networking.k8s.io/v1\nkind: HTTPRoute\nmetadata:\n  name: expose-rest-internal\n  namespace: tenant-a\nspec:\n  parentRefs:\n    - name: shared-gateway\n      namespace: infra\n  hostnames:\n    - rest.tenant.example\n  rules:\n    - matches:\n        - path:\n            type: PathPrefix\n            value: /\n      backendRefs:\n        - group: traefik.io\n          kind: TraefikService\n          name: rest@internal\n          port: 80\n```\n\n4. Send a `PUT` request through that published route to `/api/providers/rest` with a valid dynamic configuration body. A harmless proof can add a dummy router pointing to `noop@internal`.\n\nExample request body:\n\n```json\n{\n  \"http\": {\n    \"routers\": {\n      \"probe\": {\n        \"rule\": \"PathPrefix(`/probe`)\",\n        \"service\": \"noop@internal\",\n        \"ruleSyntax\": \"default\"\n      }\n    }\n  }\n}\n```\n\n5. Observe that Traefik accepts the update and applies the supplied dynamic configuration, even though `providers.rest.insecure=false`.\n\n### Impact\nThis is an authorization / trust-boundary bypass affecting shared Gateway deployments.\n\nOn affected deployments, an actor who should only be able to create or update `HTTPRoute` objects can escalate to live Traefik dynamic-configuration write access. That can allow unauthorized reconfiguration of routers and services, publication of additional internal surfaces, request interception or rerouting, and denial of service through destructive config changes.\n\nOn affected deployments, this gives a low-privileged Gateway route author live Traefik dynamic-configuration write access. This is critical for affected shared Gateway deployments because it can give a low-privileged route author live Traefik dynamic-configuration write access, but it depends on providers.rest being enabled.\n\nThis is not an unauthenticated vulnerability in all Traefik deployments. The issue depends on realistic but specific conditions:\n- `providers.rest` must be enabled\n- the attacker must be allowed to attach `HTTPRoute` resources to a shared Gateway\n\n\u003c/details\u003e",
  "id": "GHSA-96qj-4jj5-wcjc",
  "modified": "2026-05-15T23:50:03Z",
  "published": "2026-05-13T15:29:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-96qj-4jj5-wcjc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44774"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.46"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.17"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false"
}

OPENSUSE-SU-2026:10810-1

Vulnerability from csaf_opensuse - Published: 2026-05-18 00:00 - Updated: 2026-05-18 00:00

Summary

traefik-3.6.17-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: traefik-3.6.17-1.1 on GA media

Description of the patch: These are all security issues fixed in the traefik-3.6.17-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10810

CVE-2026-44774

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:traefik-3.6.17-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.6.17-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.6.17-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik-3.6.17-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-44774/	self
https://www.suse.com/security/cve/CVE-2026-44774	external
https://bugzilla.suse.com/1265372	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "traefik-3.6.17-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the traefik-3.6.17-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10810",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10810-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-44774 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-44774/"
      }
    ],
    "title": "traefik-3.6.17-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-05-18T00:00:00Z",
      "generator": {
        "date": "2026-05-18T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10810-1",
      "initial_release_date": "2026-05-18T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-05-18T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.6.17-1.1.aarch64",
                "product": {
                  "name": "traefik-3.6.17-1.1.aarch64",
                  "product_id": "traefik-3.6.17-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.6.17-1.1.ppc64le",
                "product": {
                  "name": "traefik-3.6.17-1.1.ppc64le",
                  "product_id": "traefik-3.6.17-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.6.17-1.1.s390x",
                "product": {
                  "name": "traefik-3.6.17-1.1.s390x",
                  "product_id": "traefik-3.6.17-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.6.17-1.1.x86_64",
                "product": {
                  "name": "traefik-3.6.17-1.1.x86_64",
                  "product_id": "traefik-3.6.17-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.6.17-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.6.17-1.1.aarch64"
        },
        "product_reference": "traefik-3.6.17-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.6.17-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.6.17-1.1.ppc64le"
        },
        "product_reference": "traefik-3.6.17-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.6.17-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.6.17-1.1.s390x"
        },
        "product_reference": "traefik-3.6.17-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.6.17-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.6.17-1.1.x86_64"
        },
        "product_reference": "traefik-3.6.17-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-44774",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-44774"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik\u0027s Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.6.17-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.6.17-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.6.17-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.6.17-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-44774",
          "url": "https://www.suse.com/security/cve/CVE-2026-44774"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265372 for CVE-2026-44774",
          "url": "https://bugzilla.suse.com/1265372"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.6.17-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.6.17-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.6.17-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.6.17-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-18T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-44774"
    }
  ]
}

OPENSUSE-SU-2026:10811-1

Vulnerability from csaf_opensuse - Published: 2026-05-18 00:00 - Updated: 2026-05-18 00:00

Summary

traefik2-2.11.46-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: traefik2-2.11.46-1.1 on GA media

Description of the patch: These are all security issues fixed in the traefik2-2.11.46-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10811

CVE-2026-44774

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.46-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.46-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.46-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.46-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-44774/	self
https://www.suse.com/security/cve/CVE-2026-44774	external
https://bugzilla.suse.com/1265372	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "traefik2-2.11.46-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the traefik2-2.11.46-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10811",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10811-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-44774 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-44774/"
      }
    ],
    "title": "traefik2-2.11.46-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-05-18T00:00:00Z",
      "generator": {
        "date": "2026-05-18T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10811-1",
      "initial_release_date": "2026-05-18T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-05-18T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.46-1.1.aarch64",
                "product": {
                  "name": "traefik2-2.11.46-1.1.aarch64",
                  "product_id": "traefik2-2.11.46-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.46-1.1.ppc64le",
                "product": {
                  "name": "traefik2-2.11.46-1.1.ppc64le",
                  "product_id": "traefik2-2.11.46-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.46-1.1.s390x",
                "product": {
                  "name": "traefik2-2.11.46-1.1.s390x",
                  "product_id": "traefik2-2.11.46-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.46-1.1.x86_64",
                "product": {
                  "name": "traefik2-2.11.46-1.1.x86_64",
                  "product_id": "traefik2-2.11.46-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.46-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.46-1.1.aarch64"
        },
        "product_reference": "traefik2-2.11.46-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.46-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.46-1.1.ppc64le"
        },
        "product_reference": "traefik2-2.11.46-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.46-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.46-1.1.s390x"
        },
        "product_reference": "traefik2-2.11.46-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.46-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.46-1.1.x86_64"
        },
        "product_reference": "traefik2-2.11.46-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-44774",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-44774"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik\u0027s Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.46-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.46-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.46-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.46-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-44774",
          "url": "https://www.suse.com/security/cve/CVE-2026-44774"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265372 for CVE-2026-44774",
          "url": "https://bugzilla.suse.com/1265372"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.46-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.46-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.46-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.46-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-18T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-44774"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44774 (GCVE-0-2026-44774)

CERTFR-2026-AVI-0561

Solutions

FKIE_CVE-2026-44774

GHSA-96QJ-4JJ5-WCJC

Summary

Patches

For more information

OPENSUSE-SU-2026:10810-1

OPENSUSE-SU-2026:10811-1

Tags

Sightings

Nomenclature