CVE-2026-54762
published 2026-06-23CVE-2026-54762: Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX…
PriorityP354high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.36%
27.9th percentile
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency — a missing, malformed, unreadable, or policy-denied Secret — rather than an intentionally unprotected route. This vulnerability is fixed in 3.7.5.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devspaces | traefik-rhel9 | — | — |
| github.com | traefik_traefik_v3 | >= 3.7.0-ea.1 < 3.7.5 | 3.7.5 |
| traefik | traefik | — | — |
| traefik | traefik | >= 3.7.0 < 3.7.5 | 3.7.5 |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv4.05.9MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Traefik up to 3.7.4 Backend Service failing open (GHSA-4mr2-fg2p-w63c)
vuldb·2026-06-28·CVSS 8.6
CVE-2026-54762 [HIGH] Traefik up to 3.7.4 Backend Service failing open (GHSA-4mr2-fg2p-w63c)
A vulnerability was found in Traefik up to 3.7.4 and classified as problematic. This impacts an unknown function of the component Backend Service. Executing a manipulation can lead to not failing securely.
The identification of this vulnerability is CVE-2026-54762. The attack can only be executed locally. There is no exploit available.
It is suggested to upgrade the affected component.
GHSA
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
ghsa·2026-06-19
CVE-2026-54762 [MEDIUM] CWE-636 Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
## Summary
There is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported `nginx.ingress.kubernetes.io/auth-type` and `auth-secret` annotations, but the referenced auth Secret cannot be resolved or parsed, Traefik logs the resolution error, skips installing the authentication middleware, and still emits a router to the backend service. A route that operators intended to protect is therefore published to the data plane without its authentication control, allowing unauthenticated access to the backend. The trigger is an invalid or unresolved auth dependency —
Red Hat
github.com/traefik/traefik: Traefik: Authentication bypass due to invalid authentication secret
vendor_redhat·2026-06-23·CVSS 5.9
CVE-2026-54762 [MEDIUM] CWE-166 github.com/traefik/traefik: Traefik: Authentication bypass due to invalid authentication secret
github.com/traefik/traefik: Traefik: Authentication bypass due to invalid authentication secret
A flaw was found in Traefik, an HTTP reverse proxy and load balancer. When an Ingress is configured to use BasicAuth or DigestAuth, but the associated authentication secret cannot be resolved or is malformed, Traefik fails to apply the authentication middleware. This allows unauthenticated access to backend services that were intended to be protected, potentially exposing sensitive information or functionality.
Package: devspaces/traefik-rhel9 (Red Hat OpenShift Dev Spaces) - Fix deferred
No detection rules found.
No public exploits indexed.
2026-06-23
Published