These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only one route's filter set to all requests reaching that backend. In Gateway deployments where backendRef filters s [truncated]
The Traefik ForwardAuth middleware is vulnerable to an authorization bypass. An unauthenticated remote attacker can inject an X-Forwarded-Proto: https header over a plain HTTP connection, causing Traefik to forward X-Forwarded-Port: 443 to the authentication service. This issue is fixed in Traefik versions v2.11.51, v3.6.22, and v3.7.6. Affected product deployments should be reviewed for exposure.
Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which many backends normalize identically to dashed forms. An attacker able to reach a protected route can inject an [truncated]
A medium-severity vulnerability was found in Traefik's Kubernetes Ingress NGINX provider from versions 3.7.0-ea.1 until 3.7.4. This issue causes affected routes to fail open when an Ingress explicitly enables BasicAuth or DigestAuth but the referenced auth Secret cannot be resolved or parsed. As a result, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a [truncated]
Traefik, an HTTP reverse proxy and load balancer, has a critical vulnerability in its HTTP/3 (QUIC) TLS configuration selection. This issue allows unauthenticated clients to bypass router-specific mTLS enforcement. The vulnerability arises because the TLS handshake selects the applicable TLS configuration through an exact, case-sensitive lookup on the SNI (Server Name Indication) value. This lookup fails [truncated]
Traefik, an HTTP reverse proxy and load balancer, has a high-severity vulnerability in its StripPrefix middleware. This vulnerability allows an unauthenticated attacker to bypass route-level authentication and authorization. The issue arises when a public router matches on a PathPrefix rule and applies the StripPrefix middleware. A request path containing .. or its percent-encoded form %2e%2e can match th [truncated]
A medium-severity vulnerability in Traefik's Kubernetes Gateway API provider allows HTTPRoute creation permissions to be abused for unauthorized dynamic configuration access. The flaw permits routing to rest@internal despite providers.rest.insecure=false, enabling live reconfiguration of routers and services in shared Gateway deployments.
Traefik's errors middleware inadvertently forwards complete request headers—including sensitive authentication material—to external error page services, contrary to documentation stating only Host is forwarded by default. This information disclosure occurs when backends return responses matching configured status ranges, exposing credentials across unintended service boundaries. The vulnerability affects [truncated]
CVE-2026-33433 is a medium-severity vulnerability in Traefik, an HTTP reverse proxy and load balancer. An authenticated attacker can inject their own canonical version of a non-canonical HTTP header to impersonate any identity to the backend. The vulnerability exists because Traefik writes non-canonical header names, allowing an attacker to override them with their own canonical version. This issue affect [truncated]
Traefik, an HTTP reverse proxy and load balancer, had a vulnerability prior to versions 3.6.11 and 3.7.0-ea.2. The issue lies in the Knative provider, which builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without proper escaping. This could be exploited in live cluster validation, particularly with `rules[].hosts[]` and `headers[].exact`, allowing for h [truncated]
CVE-2026-29054 is a high-severity vulnerability in Traefik, an HTTP reverse proxy and load balancer. The issue affects versions 2.11.9 to 2.11.37 and 3.1.3 to 3.6.8. It involves a problem with managing the Connection header and X-Forwarded headers, allowing a remote unauthenticated client to bypass protections and trigger the removal of Traefik-managed forwarded identity headers. The vulnerability has bee [truncated]
CVE-2026-26999 is a high-severity vulnerability in Traefik, an HTTP reverse proxy and load balancer. The vulnerability allows an attacker to cause a denial of service by sending an incomplete TLS record, which can stall the TLS handshake indefinitely, leading to a resource exhaustion. This issue has been patched in versions 2.11.38 and 3.6.9. Traefik's management of TLS handshakes on TCP routers is vulner [truncated]
CVE-2026-25949 is a high-severity vulnerability in Traefik, an HTTP reverse proxy and load balancer. An unauthenticated client can exploit this vulnerability by sending an 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in Traefik version 3.6.8. The Common Vulnerability Scoring Sys [truncated]