PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54765 traefik CVE debrief

Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only one route's filter set to all requests reaching that backend. In Gateway deployments where backendRef filters set security-sensitive headers, such as tenant identity, authorization context, or values the backend trusts, an attacker who can create an accepted HTTPRoute sharing the same backend Service:port may cause their route's filter context to be applied to another route's requests, potentially crossing namespace boundaries when a ReferenceGrant permits cross-namespace targeting. This issue is fixed in version v3.7.6.

Vendor
traefik
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-08
Advisory published
2026-07-06
Advisory updated
2026-07-08

Who should care

Users of Traefik's Kubernetes Gateway API provider who have not upgraded to version v3.7.6 or later should be aware of this vulnerability and take steps to mitigate it. This includes operators, platform administrators, vulnerability management teams, and security teams who are responsible for ensuring the security and integrity of their systems. They should review and update Gateway deployments to ensure proper configuration of backendRef filters and monitor for suspicious activity.

Technical summary

The vulnerability exists in Traefik's Kubernetes Gateway API provider, where two accepted HTTPRoutes targeting the same backend Service:port but with different backendRef filters may have only one route's filter set applied to all requests. This can lead to security-sensitive headers being set incorrectly, potentially allowing an attacker to access sensitive information or bypass authorization. The issue is fixed in version v3.7.6. An attacker who can create an accepted HTTPRoute sharing the same backend Service:port may cause their route's filter context to be applied to another route's requests, potentially crossing namespace boundaries when a ReferenceGrant permits cross-namespace targeting.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade to Traefik version v3.7.6 or later
  • Review and update Gateway deployments to ensure proper configuration of backendRef filters
  • Monitor for suspicious activity and implement compensating controls as needed
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-06T21:16:57.067Z and has not been modified since then. The NVD entry is currently Undergoing Analysis. There is limited information available about this vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide specific details about the vulnerability, but it is related to Traefik's Kubernetes Gateway API provider. Defenders should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:57.067Z and has not been modified since then.