CVE-2026-54762 traefik CVE debrief

Who should care

Operators and administrators using Traefik's Kubernetes Ingress NGINX provider from versions 3.7.0-ea.1 until 3.7.4 should be aware of this vulnerability. They should check their configurations and update to version 3.7.5 or later to mitigate the issue. This vulnerability may impact organizations that rely on Traefik for routing and authentication in their Kubernetes environments.

Technical summary

The vulnerability in Traefik's Kubernetes Ingress NGINX provider occurs when an Ingress enables BasicAuth or DigestAuth but the auth Secret is invalid or cannot be resolved. Traefik skips authentication middleware installation, leading to unauthenticated access to backend services. The issue arises from a missing, malformed, unreadable, or policy-denied Secret. This vulnerability has a CVSS score of 5.9 and is classified as medium severity.

Defensive priority

Medium priority should be given to updating Traefik to version 3.7.5. Operators should review their Ingress configurations to ensure that authentication is properly set up and that referenced Secrets are valid and resolvable.

Recommended defensive actions

• Update Traefik to version 3.7.5 or later.
• Review Ingress configurations for proper authentication setup.
• Verify that referenced auth Secrets are valid and resolvable.
• Monitor Traefik logs for resolution errors related to auth Secrets.
• Implement compensating controls, such as additional authentication layers, if immediate update is not possible.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. The source item URL offers additional context from the NVD database. Vendor references include release notes and security advisories from GitHub.

Official resources