PatchSiren cyber security CVE debrief
CVE-2026-54765 traefik CVE debrief
Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only one route's filter set to all requests reaching that backend. In Gateway deployments where backendRef filters set security-sensitive headers, such as tenant identity, authorization context, or values the backend trusts, an attacker who can create an accepted HTTPRoute sharing the same backend Service:port may cause their route's filter context to be applied to another route's requests, potentially crossing namespace boundaries when a ReferenceGrant permits cross-namespace targeting. This issue is fixed in version v3.7.6.
- Vendor
- traefik
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-08
Who should care
Users of Traefik's Kubernetes Gateway API provider who have not upgraded to version v3.7.6 or later should be aware of this vulnerability and take steps to mitigate it. This includes operators, platform administrators, vulnerability management teams, and security teams who are responsible for ensuring the security and integrity of their systems. They should review and update Gateway deployments to ensure proper configuration of backendRef filters and monitor for suspicious activity.
Technical summary
The vulnerability exists in Traefik's Kubernetes Gateway API provider, where two accepted HTTPRoutes targeting the same backend Service:port but with different backendRef filters may have only one route's filter set applied to all requests. This can lead to security-sensitive headers being set incorrectly, potentially allowing an attacker to access sensitive information or bypass authorization. The issue is fixed in version v3.7.6. An attacker who can create an accepted HTTPRoute sharing the same backend Service:port may cause their route's filter context to be applied to another route's requests, potentially crossing namespace boundaries when a ReferenceGrant permits cross-namespace targeting.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to Traefik version v3.7.6 or later
- Review and update Gateway deployments to ensure proper configuration of backendRef filters
- Monitor for suspicious activity and implement compensating controls as needed
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-06T21:16:57.067Z and has not been modified since then. The NVD entry is currently Undergoing Analysis. There is limited information available about this vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide specific details about the vulnerability, but it is related to Traefik's Kubernetes Gateway API provider. Defenders should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.
Official resources
-
CVE-2026-54765 CVE record
CVE.org
-
CVE-2026-54765 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:57.067Z and has not been modified since then.