MidnightBSD

Advisories for traefik

CVE-2018-15598 MEDIUM

Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
traefik traefik *
CVE-2019-12452 LOW

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,

Products Affected

Vendor Product Version
traefik traefik *
CVE-2019-20894 MEDIUM

Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
traefik traefik *
CVE-2020-15129 MEDIUM

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N 1.6 2.7
security-advisories@github.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N 1.6 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,CWE-601,

Products Affected

Vendor Product Version
traefik traefik 2.3.0
traefik traefik *
CVE-2020-9321 MEDIUM

configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
traefik traefik 2.0.0
traefik traefik *
CVE-2021-32813 MEDIUM

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse. If one has a chain of Traefik middlewares, and one of them sets a request header, then sending a request with a certain Connection header will cause it to be removed before the request is sent. In this case, the backend does not see the request header. A patch is available in version 2.4.13. There are no known workarounds aside from upgrading.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-913,CWE-913,

Products Affected

Vendor Product Version
traefik traefik *
CVE-2022-23469

Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.

Products Affected

Vendor Product Version
traefik traefik *
CVE-2022-23632 MEDIUM

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one. If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration. Version 2.6.1 contains a patch for this issue. As a workaround, one may add the FDQN to the host rule. However, there is no workaround if the CNAME flattening is enabled.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
oracle communications_unified_inventory_management 7.5.0
traefik traefik *
CVE-2022-39271

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
traefik traefik 2.9.0
traefik traefik *
CVE-2022-46153

Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates. Users are advised to upgrade to version 2.9.6. Users unable to upgrade should check their logs to detect the error messages and fix your TLS options.

Products Affected

Vendor Product Version
traefik traefik *
CVE-2023-29013

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service. This issue has been patched in versions 2.9.10 and 2.10.0-rc2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
traefik traefik 2.10.0
traefik traefik *
CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
redhat openshift -
caddyserver caddy *
redhat certification_for_red_hat_enterprise_linux 9.0
redhat migration_toolkit_for_virtualization -
redhat integration_service_registry -
nodejs node.js *
netapp astra_control_center -
akka http_server *
eclipse jetty *
redhat build_of_quarkus -
microsoft cbl-mariner *
redhat openstack_platform 17.1
redhat openshift_gitops -
redhat integration_camel_k -
redhat machine_deletion_remediation_operator -
f5 big-ip_link_controller 17.1.0
netty netty *
redhat enterprise_linux 8.0
redhat quay 3.0.0
redhat openshift_dev_spaces -
f5 big-ip_global_traffic_manager 17.1.0
redhat fence_agents_remediation_operator -
fedoraproject fedora 37
cisco unified_contact_center_enterprise_-_live_data_server *
traefik traefik *
f5 big-ip_domain_name_system *
envoyproxy envoy 1.24.10
redhat advanced_cluster_security 3.0
redhat ansible_automation_platform 2.0
redhat satellite 6.0
f5 nginx_plus r30
jenkins jenkins *
redhat jboss_a-mq 7
cisco fog_director *
cisco data_center_network_manager -
linkerd linkerd 2.13.1
f5 big-ip_access_policy_manager 17.1.0
redhat node_maintenance_operator -
f5 big-ip_ssl_orchestrator *
redhat openstack_platform 16.2
envoyproxy envoy 1.25.9
redhat openshift_data_science -
redhat migration_toolkit_for_containers -
cisco prime_cable_provisioning *
debian debian_linux 10.0
f5 big-ip_application_visibility_and_reporting 17.1.0
cisco crosswork_zero_touch_provisioning *
cisco firepower_threat_defense *
redhat web_terminal -
cisco ios_xe *
grpc grpc *
f5 big-ip_ddos_hybrid_defender 17.1.0
cisco crosswork_data_gateway 5.0
redhat enterprise_linux 9.0
f5 big-ip_application_security_manager 17.1.0
cisco unified_contact_center_enterprise -
apache traffic_server *
f5 big-ip_access_policy_manager *
golang go *
f5 big-ip_fraud_protection_service *
apache apisix *
golang networking *
kazu-yamamoto http2 *
f5 big-ip_ddos_hybrid_defender *
debian debian_linux 12.0
linkerd linkerd 2.13.0
f5 big-ip_advanced_web_application_firewall *
redhat self_node_remediation_operator -
f5 big-ip_local_traffic_manager 17.1.0
redhat node_healthcheck_operator -
redhat openshift_distributed_tracing -
redhat openshift_serverless -
redhat openshift_api_for_data_protection -
redhat decision_manager 7.0
netapp oncommand_insight -
linecorp armeria *
varnish_cache_project varnish_cache *
cisco ultra_cloud_core_-_policy_control_function *
microsoft windows_11_22h2 *
redhat cert-manager_operator_for_red_hat_openshift -
f5 nginx_ingress_controller *
f5 big-ip_fraud_protection_service 17.1.0
cisco nx-os *
redhat build_of_optaplanner 8.0
f5 big-ip_policy_enforcement_manager *
microsoft windows_10_1809 *
cisco ultra_cloud_core_-_session_management_function *
apache tomcat *
amazon opensearch_data_prepper *
f5 big-ip_link_controller *
traefik traefik 3.0.0
redhat integration_camel_for_spring_boot -
microsoft windows_server_2022 -
f5 big-ip_webaccelerator *
microsoft asp.net_core *
redhat single_sign-on 7.0
microsoft windows_10_1607 *
redhat openshift_pipelines -
microsoft azure_kubernetes_service *
cisco iot_field_network_director *
envoyproxy envoy 1.26.4
envoyproxy envoy 1.27.0
redhat openshift_container_platform 4.0
grpc grpc 1.57.0
f5 big-ip_domain_name_system 17.1.0
f5 big-ip_webaccelerator 17.1.0
microsoft visual_studio_2022 *
microsoft windows_10_22h2 *
redhat cost_management -
cisco secure_dynamic_attributes_connector *
microsoft windows_11_21h2 *
f5 nginx *
f5 big-ip_next_service_proxy_for_kubernetes *
microsoft windows_10_21h2 *
f5 big-ip_local_traffic_manager *
cisco business_process_automation *
redhat process_automation 7.0
golang http2 *
ietf http 2.0
redhat openshift_developer_tools_and_services -
f5 big-ip_websafe *
f5 big-ip_carrier-grade_nat *
cisco unified_attendant_console_advanced -
redhat service_interconnect 1.0
fedoraproject fedora 38
cisco secure_web_appliance_firmware *
cisco unified_contact_center_management_portal -
microsoft .net *
f5 big-ip_global_traffic_manager *
redhat cryostat 2.0
cisco crosswork_situation_manager -
redhat migration_toolkit_for_applications 6.0
dena h2o *
cisco prime_network_registrar *
redhat jboss_enterprise_application_platform 6.0.0
f5 big-ip_application_acceleration_manager 17.1.0
redhat openstack_platform 16.1
cisco connected_mobile_experiences *
f5 big-ip_websafe 17.1.0
cisco ultra_cloud_core_-_serving_gateway_function *
redhat advanced_cluster_management_for_kubernetes 2.0
apache tomcat 11.0.0
f5 big-ip_carrier-grade_nat 17.1.0
cisco telepresence_video_communication_server *
f5 big-ip_next 20.0.1
redhat support_for_spring_boot -
microsoft windows_server_2019 -
linkerd linkerd *
cisco unified_contact_center_domain_manager -
f5 big-ip_application_acceleration_manager *
openresty openresty *
redhat openshift_sandboxed_containers -
f5 big-ip_application_visibility_and_reporting *
f5 nginx_plus r29
redhat service_telemetry_framework 1.5
redhat jboss_data_grid 7.0.0
redhat advanced_cluster_security 4.0
cisco prime_infrastructure *
linkerd linkerd 2.14.0
redhat jboss_enterprise_application_platform 7.0.0
cisco crosswork_data_gateway *
redhat openshift_virtualization 4
debian debian_linux 11.0
projectcontour contour *
f5 nginx_plus *
redhat certification_for_red_hat_enterprise_linux 8.0
f5 big-ip_advanced_firewall_manager 17.1.0
redhat 3scale_api_management_platform 2.0
redhat jboss_a-mq_streams -
f5 big-ip_analytics *
apache solr *
redhat logging_subsystem_for_red_hat_openshift -
cisco prime_access_registrar *
cisco expressway *
microsoft windows_server_2016 -
redhat jboss_fuse 6.0.0
konghq kong_gateway *
redhat jboss_fuse 7.0.0
cisco ios_xr *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
cisco secure_malware_analytics *
redhat openshift_service_mesh 2.0
cisco enterprise_chat_and_email -
redhat openshift_secondary_scheduler_operator -
facebook proxygen *
nghttp2 nghttp2 *
f5 big-ip_analytics 17.1.0
f5 big-ip_advanced_firewall_manager *
apple swiftnio_http/2 *
redhat openshift_container_platform_assisted_installer -
redhat network_observability_operator -
redhat ceph_storage 5.0
redhat run_once_duration_override_operator -
istio istio *
redhat enterprise_linux 6.0
f5 big-ip_application_security_manager *
f5 big-ip_advanced_web_application_firewall 17.1.0
redhat jboss_core_services -
linkerd linkerd 2.14.1
f5 big-ip_policy_enforcement_manager 17.1.0
f5 big-ip_ssl_orchestrator 17.1.0
CVE-2023-47106

Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions. This vulnerability has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
traefik traefik 3.0.0
traefik traefik *
CVE-2023-47124

Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slowloris attack`. This vulnerability has been patch in version 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. Users unable to upgrade should replace the `HTTPChallenge` with the `TLSChallenge` or the `DNSChallenge`.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
traefik traefik 3.0.0
traefik traefik *
CVE-2023-47633

Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
traefik traefik 3.0.0
traefik traefik *
CVE-2024-28869

Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.11.2 and 3.0.0-rc5. Users are advised to upgrade. For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
traefik traefik 3.0.0
traefik traefik *
CVE-2024-39321

Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
traefik traefik *
traefik traefik 3.1.0
CVE-2024-45410

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6
security-advisories@github.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
traefik traefik *
CVE-2024-52003

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Products Affected

Vendor Product Version
traefik traefik *
CVE-2025-32431

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path.

Products Affected

Vendor Product Version
traefik traefik *
traefik traefik 3.4.0
CVE-2025-47952

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.

Products Affected

Vendor Product Version
traefik traefik *
CVE-2025-54386

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.

Products Affected

Vendor Product Version
traefik traefik 3.5.0
traefik traefik *
CVE-2025-66490

Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, \, Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering my-security-middleware, bypassing security controls for the /admin/ path. This issue is fixed in versions 2.11.32 and 3.6.3.

Products Affected

Vendor Product Version
traefik traefik *
CVE-2025-66491

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
traefik traefik *
CVE-2026-22045

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
traefik traefik *
CVE-2026-25949

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
traefik traefik *
CVE-2026-26998

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is read entirely into memory without any size limit. There is no maxResponseBodySize configuration to restrict the amount of data read from the authentication server response. If the authentication server returns an unexpectedly large or unbounded response body, Traefik will allocate unlimited memory, potentially causing an out-of-memory (OOM) condition that crashes the process. This results in a denial of service for all routes served by the affected Traefik instance. This issue has been patched in versions 2.11.38 and 3.6.9.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
traefik traefik *
CVE-2026-26999

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
traefik traefik *
CVE-2026-29777

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.

Products Affected

Vendor Product Version
traefik traefik *
CVE-2026-32695

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for host restriction bypass (for example `tenant.example.com`) || Host(`attacker.com`), producing a router that serves attacker-controlled hosts. Knative `headers[].exact` also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Versions 3.6.11 and 3.7.0-ea.2 patch the issue.

Products Affected

Vendor Product Version
traefik traefik 3.7.0
traefik traefik *
CVE-2026-33433

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.

Products Affected

Vendor Product Version
traefik traefik 3.7.0
traefik traefik *