PatchSiren

traefik CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM traefik CVE published 2026-07-06

CVE-2026-54765

Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only one route's filter set to all requests reaching that backend. In Gateway deployments where backendRef filters s [truncated]

MEDIUM traefik CVE published 2026-07-06

CVE-2026-54764

The Traefik ForwardAuth middleware is vulnerable to an authorization bypass. An unauthenticated remote attacker can inject an X-Forwarded-Proto: https header over a plain HTTP connection, causing Traefik to forward X-Forwarded-Port: 443 to the authentication service. This issue is fixed in Traefik versions v2.11.51, v3.6.22, and v3.7.6. Affected product deployments should be reviewed for exposure.

HIGH traefik CVE published 2026-07-06

CVE-2026-54763

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which many backends normalize identically to dashed forms. An attacker able to reach a protected route can inject an [truncated]

MEDIUM traefik CVE published 2026-06-23

CVE-2026-54762

A medium-severity vulnerability was found in Traefik's Kubernetes Ingress NGINX provider from versions 3.7.0-ea.1 until 3.7.4. This issue causes affected routes to fail open when an Ingress explicitly enables BasicAuth or DigestAuth but the referenced auth Secret cannot be resolved or parsed. As a result, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a [truncated]

HIGH traefik CVE published 2026-06-23

CVE-2026-53622

Traefik, an HTTP reverse proxy and load balancer, has a critical vulnerability in its HTTP/3 (QUIC) TLS configuration selection. This issue allows unauthenticated clients to bypass router-specific mTLS enforcement. The vulnerability arises because the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI (Server Name Indication) value. This lookup fails [truncated]

HIGH traefik CVE published 2026-06-23

CVE-2026-48020

Traefik, an HTTP reverse proxy and load balancer, has a high-severity vulnerability in its StripPrefix middleware. This vulnerability allows an unauthenticated attacker to bypass route-level authentication and authorization. The issue arises when a public router matches on a PathPrefix rule and applies the StripPrefix middleware. A request path containing .. or its percent-encoded form %2e%2e can match th [truncated]

MEDIUM traefik CVE published 2026-05-15

CVE-2026-44774

A medium-severity vulnerability in Traefik's Kubernetes Gateway API provider allows HTTPRoute creation permissions to be abused for unauthorized dynamic configuration access. The flaw permits routing to rest@internal despite providers.rest.insecure=false, enabling live reconfiguration of routers and services in shared Gateway deployments.

MEDIUM traefik CVE published 2026-05-15

CVE-2026-41181

Traefik's errors middleware inadvertently forwards complete request headers—including sensitive authentication material—to external error page services, contrary to documentation stating only Host is forwarded by default. This information disclosure occurs when backends return responses matching configured status ranges, exposing credentials across unintended service boundaries. The vulnerability affects [truncated]

MEDIUM traefik CVE published 2026-03-27

CVE-2026-33433

CVE-2026-33433 is a medium-severity vulnerability in Traefik, an HTTP reverse proxy and load balancer. An authenticated attacker can inject their own canonical version of a non-canonical HTTP header to impersonate any identity to the backend. The vulnerability exists because Traefik writes non-canonical header names, allowing an attacker to override them with their own canonical version. This issue affect [truncated]

MEDIUM traefik CVE published 2026-03-27

CVE-2026-32695

Traefik, an HTTP reverse proxy and load balancer, had a vulnerability prior to versions 3.6.11 and 3.7.0-ea.2. The issue lies in the Knative provider, which builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without proper escaping. This could be exploited in live cluster validation, particularly with `rules[].hosts[]` and `headers[].exact`, allowing for h [truncated]

HIGH traefik CVE published 2026-03-05

CVE-2026-29054

CVE-2026-29054 is a high-severity vulnerability in Traefik, an HTTP reverse proxy and load balancer. The issue affects versions 2.11.9 to 2.11.37 and 3.1.3 to 3.6.8. It involves a problem with managing the Connection header and X-Forwarded headers, allowing a remote unauthenticated client to bypass protections and trigger the removal of Traefik-managed forwarded identity headers. The vulnerability has bee [truncated]

HIGH traefik CVE published 2026-03-05

CVE-2026-26999

CVE-2026-26999 is a high-severity vulnerability in Traefik, an HTTP reverse proxy and load balancer. The vulnerability allows an attacker to cause a denial of service by sending an incomplete TLS record, which can stall the TLS handshake indefinitely, leading to a resource exhaustion. This issue has been patched in versions 2.11.38 and 3.6.9. Traefik's management of TLS handshakes on TCP routers is vulner [truncated]

HIGH traefik CVE published 2026-02-12

CVE-2026-25949

CVE-2026-25949 is a high-severity vulnerability in Traefik, an HTTP reverse proxy and load balancer. An unauthenticated client can exploit this vulnerability by sending an 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in Traefik version 3.6.8. The Common Vulnerability Scoring Sys [truncated]