CVE-2026-44774 traefik CVE debrief

Who should care

Organizations running Traefik in Kubernetes with the Gateway API provider enabled, particularly those in multi-tenant or shared Gateway configurations where the REST provider is active and HTTPRoute creation is delegated to less-privileged users.

Technical summary

The Kubernetes Gateway API provider in Traefik accepts TraefikService backend references where the name ends with @internal. This validation oversight allows an actor with HTTPRoute creation permissions to route traffic to rest@internal, bypassing the intended restriction that providers.rest.insecure=false should prevent external access to the REST provider handler. In shared Gateway deployments with the REST provider enabled, this grants live dynamic configuration write access, enabling unauthorized modification of Traefik's routing and service configuration. The vulnerability affects Traefik versions prior to 2.11.46, 3.6.17, and 3.7.1.

Defensive priority

medium

Recommended defensive actions

• Upgrade Traefik to version 2.11.46, 3.6.17, or 3.7.1 or later
• Audit existing HTTPRoute resources for unauthorized TraefikService backend references ending with @internal
• Review Kubernetes RBAC to ensure HTTPRoute creation permissions are appropriately scoped
• In shared Gateway deployments, verify REST provider configuration and restrict access to configuration endpoints
• Monitor Traefik dynamic configuration for unauthorized changes

Evidence notes

Official CVE published 2026-05-15; NVD entry modified 2026-05-19. Vendor advisory and patched releases published via GitHub Security Advisories.

Official resources