CVE-2026-48020
published 2026-06-23CVE-2026-48020: Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix…
PriorityP276critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.59%
43.8th percentile
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router. This vulnerability is fixed in 2.11.48, 3.6.19, and 3.7.3.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devspaces | traefik-rhel9 | — | — |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.48 | 2.11.48 |
| github.com | traefik_traefik_v3 | >= 0 < 3.6.19 | 3.6.19 |
| github.com | traefik_traefik_v3 | >= 3.7.0-ea.1 < 3.7.3 | 3.7.3 |
| traefik | traefik | < 2.11.48 | 2.11.48 |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | >= 3.0.0 < 3.6.19 | 3.6.19 |
| traefik | traefik | >= 3.7.0 < 3.7.3 | 3.7.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect requests to Traefik-proxied services where the URL path contains '..' or '%2e%2e' segments, particularly when targeting PathPrefix-matched public routes — these may be path traversal attempts to bypass StripPrefix middleware authentication. ↗
- →Monitor for unauthenticated access to admin or internal configuration endpoints on backends protected by Traefik routers, especially when the originating request path traversed a public StripPrefix-enabled router. ↗
- →Flag Traefik deployments running versions prior to 2.11.48, 3.6.19, or 3.7.3 that use StripPrefix middleware on public routers alongside authenticated routers sharing overlapping path namespaces. ↗
- ·Vulnerability is only exploitable when a public router uses a PathPrefix rule combined with StripPrefix middleware AND a separate authenticated router serves paths that can be reached after prefix stripping and path normalization — both conditions must be present. ↗
- ·Red Hat notes no effective mitigation is available short of patching; affected package is devspaces/traefik-rhel9 in Red Hat OpenShift Dev Spaces. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
nvdv4.07.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Traefik up to 2.11.47/3.6.18/3.7.2 authentication bypass (GHSA-xf64-8mw2-4gr2)
vuldb·2026-06-28·CVSS 10.0
CVE-2026-48020 [CRITICAL] Traefik up to 2.11.47/3.6.18/3.7.2 authentication bypass (GHSA-xf64-8mw2-4gr2)
A vulnerability was found in Traefik up to 2.11.47/3.6.18/3.7.2. It has been classified as critical. The impacted element is an unknown function. Performing a manipulation results in authentication bypass using alternate channel.
This vulnerability is identified as CVE-2026-48020. The attack can be initiated remotely. There is not any exploit available.
Upgrading the affected component is recommended.
GHSA
Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
ghsa·2026-06-11
CVE-2026-48020 [HIGH] CWE-288 Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
## Summary
There is a high severity vulnerability in Traefik's `StripPrefix` middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a `PathPrefix` rule and applies the `StripPrefix` middleware, a request path containing `..` or its percent-encoded form `%2e%2e` can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router.
## Patches
Red Hat
github.com/traefik/traefik: Traefik: Authentication bypass in StripPrefix middleware allows unauthorized access to protected paths
vendor_redhat·2026-06-23·CVSS 7.8
CVE-2026-48020 [HIGH] CWE-22 github.com/traefik/traefik: Traefik: Authentication bypass in StripPrefix middleware allows unauthorized access to protected paths
github.com/traefik/traefik: Traefik: Authentication bypass in StripPrefix middleware allows unauthorized access to protected paths
A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability exists in the StripPrefix middleware, allowing an unauthenticated attacker to bypass route-level authentication and authorization. By crafting a request path containing '..' or its percent-encoded form, an attacker can access protected backend paths, such as administrative or internal configuration endpoints, without proper authentication. This could lead to unauthorized information disclosure or modification of sensitive settings.
Statement: This is an Important authentication bypass flaw in Traefik's StripPrefix middleware, affecting Red Hat OpenShift Dev Spaces. An una
No detection rules found.
No public exploits indexed.
https://github.com/traefik/traefik/releases/tag/v2.11.48https://github.com/traefik/traefik/releases/tag/v3.6.19https://github.com/traefik/traefik/releases/tag/v3.7.3https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2https://access.redhat.com/security/cve/CVE-2026-48020https://bugzilla.redhat.com/show_bug.cgi?id=2491915https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48020.json
2026-06-23
Published