cbcvebase.
CVE-2026-44774
published 2026-05-15

CVE-2026-44774: Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with…

PriorityP265critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.46%
36.3th percentile
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1.

Affected

10 ranges
VendorProductVersion rangeFixed in
devspacestraefik-rhel9
github.comtraefik_traefik0 – 1.7.34
github.comtraefik_traefik_v2>= 0 < 2.11.462.11.46
github.comtraefik_traefik_v3>= 0 < 3.6.173.6.17
github.comtraefik_traefik_v3>= 3.7.0 < 3.7.13.7.1
traefiktraefik< 2.11.462.11.46
traefiktraefik
traefiktraefik
traefiktraefik>= 3.0.0 < 3.6.173.6.17
traefiktraefik>= 3.7.0 < 3.7.13.7.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTPRoute resources referencing a TraefikService backend whose name ends with '@internal' — specifically 'rest@internal' — which indicates exploitation of this bypass
  • Monitor for unexpected live dynamic configuration write activity via the Traefik REST provider handler in shared Gateway deployments, which may indicate unauthorized reconfiguration of routers and services
  • Audit Kubernetes RBAC for low-privileged principals with HTTPRoute creation permissions in namespaces where Traefik runs with the Kubernetes Gateway API provider, as this is the required precondition for exploitation
  • Flag any TraefikService backend references to '@internal' handlers from untrusted sources as a potential exploitation indicator
  • ·The 'providers.rest.insecure=false' setting is bypassable via this vulnerability; do not rely on it alone as a security control in shared Gateway deployments until patched
  • ·Vulnerable Traefik versions are prior to 2.11.46 (2.x line), 3.6.17 (3.6.x line), and 3.7.1 (3.7.x line); the affected Red Hat package is devspaces/traefik-rhel9
  • ·The REST dynamic configuration provider should be disabled or tightly restricted in shared Gateway deployments as a compensating control

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.06.4MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.9CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.