Github.Com Traefik Traefik vulnerabilities
25 known vulnerabilities affecting github.com/traefik_traefik.
Total CVEs
25
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH11MEDIUM11
Vulnerabilities
Page 1 of 2
CVE-2026-39858P2HIGH≥ 0, ≤ 1.7.342026-04-24
CVE-2026-39858 [HIGH] CWE-290 Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
## Summary
There is a high severity authentication bypass vulnerability in Traefik's `ForwardAuth` and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., `X-Forwarded-Proto`) and does not strip or normalize alias variants that use unders
ghsa
CVE-2026-53622P2HIGH≥ 0, ≤ 1.7.342026-06-16
CVE-2026-53622 [HIGH] CWE-288 Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
## Summary
There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration
ghsa
CVE-2026-35051P2HIGH≥ 0, ≤ 1.7.342026-04-24
CVE-2026-35051 [HIGH] CWE-345 Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
## Summary
There is a high-severity authentication bypass vulnerability in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy.
While `X-Forwarded-*` headers (such as `X-
ghsa
CVE-2026-44774P2MEDIUM≥ 0, ≤ 1.7.342026-05-13
CVE-2026-44774 [MEDIUM] CWE-284 Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
## Summary
There is a medium severity vulnerability in Traefik's Kubernetes Gateway API provider that allows a tenant with `HTTPRoute` creation permissi
ghsa
CVE-2025-47952P3HIGHCVSS 8.8≥ 0, ≤ 1.7.342025-05-28
CVE-2025-47952 [HIGH] CWE-22 Traefik allows path traversal using url encoding
Traefik allows path traversal using url encoding
## Impact
There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewa
ghsaosv
CVE-2025-68121P3CRITICALCVSS 10.0≥ 0, ≤ 1.7.342026-02-20
CVE-2025-68121 [CRITICAL] CWE-1395 Traefik affected by TLS ClientAuth Bypass on HTTP/3
Traefik affected by TLS ClientAuth Bypass on HTTP/3
### Summary
There is a potential vulnerability in Traefik managing HTTP/3 connections.
More details in the [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.37
- https://github.com/traefik/traefik/releases/tag/v3.6.8
## Workarounds
No workaround
## For more information
ghsaosv
CVE-2025-32431P3HIGH≥ 0, ≤ 1.7.342025-04-21
CVE-2025-32431 [HIGH] CWE-22 Traefik has a possible vulnerability with its path matchers
Traefik has a possible vulnerability with its path matchers
## Impact
There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a `/../` in its path, it’s possible to target a backend, exposed using another router, by-passing th
ghsaosv
CVE-2026-40912P3HIGH≥ 0, ≤ 1.7.342026-04-24
CVE-2026-40912 [HIGH] CWE-706 Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync
## Summary
There is a high severity authentication bypass vulnerability in Traefik's `StripPrefixRegex` middleware when used in combination with `ForwardAuth`, `BasicAuth`, or `DigestAuth`.
The middleware matches the regex against the decoded URL path but uses the resulting byte length to s
ghsa
CVE-2020-15129P3MEDIUMPoC≥ 1.5.0-rc5, < 1.7.262022-02-11
CVE-2020-15129 [MEDIUM] CWE-601 Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header
Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header
## Summary
There exists a potential open redirect vulnerability in Traefik's handling of the `X-Forwarded-Prefix` header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisonin
ghsaosv
CVE-2024-24790P3CRITICALCVSS 9.8≥ 0, < 2.11.42024-06-11
CVE-2024-24790 [CRITICAL] CWE-180 Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
### Impact
There is a vulnerability in [Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses](https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ).
They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.
### Referen
ghsaosv
CVE-2019-12452P3HIGH≥ 1.7.0, < 1.7.122022-05-24
CVE-2019-12452 [HIGH] CWE-522 Containous Traefik Exposes Password Hashes
Containous Traefik Exposes Password Hashes
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the `--api` flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by readi
ghsaosv
CVE-2024-45410P3CRITICALCVSS 9.8≥ 0, < 2.11.92024-09-19
CVE-2024-45410 [CRITICAL] CWE-345 HTTP client can manipulate custom HTTP headers that are added by Traefik
HTTP client can manipulate custom HTTP headers that are added by Traefik
### Impact
There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers (except the header X-Forwarded-For).
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.9
- https://github.com/traefik/traefik/releases/tag/v3.1.3
### Workarounds
No workaround.
### For more i
ghsaosv
CVE-2023-39325P3HIGHCVSS 7.5≥ 0, < 2.10.5≥ 3.0.0-beta1, < 3.0.0-beta42023-10-17
CVE-2023-39325 [HIGH] CWE-400 Traefik vulnerable to HTTP/2 request causing denial of service
Traefik vulnerable to HTTP/2 request causing denial of service
### Impact
A vulnerability CVE-2023-39325 exists in [Go managing HTTP/2 requests](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ?pli=1), which impacts Traefik. This vulnerability could be exploited to cause a denial of service.
### References
- [CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487)
- [
ghsaosv
CVE-2018-15598P3HIGH≥ 1.6.0, < 1.6.62022-05-13
CVE-2018-15598 [HIGH] CWE-287 Traefik Missing Authentication
Traefik Missing Authentication
Containous Traefik 1.6.x before 1.6.6, when `--api` is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
ghsaosv
CVE-2024-28869P3HIGH≥ 0, < 2.11.22024-04-12
CVE-2024-28869 [HIGH] CWE-404 Traefik vulnerable to denial of service with Content-length header
Traefik vulnerable to denial of service with Content-length header
There is a potential vulnerability in Traefik managing requests with `Content-length` and no `body` .
Sending a `GET` request to any Traefik endpoint with the `Content-length` request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.
ghsaosv
CVE-2026-54761P3MEDIUM≥ 0, ≤ 1.7.342026-06-17
CVE-2026-54761 [MEDIUM] CWE-284 Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
## Summary
There is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the `crossProviderNamespaces` allowlist. For `HTTPRoute` rules that declare multiple (WRR) backen
ghsa
CVE-2021-32813P3MEDIUM≥ 0, ≤ 1.7.302021-08-05
CVE-2021-32813 [MEDIUM] CWE-913 Header dropping in traefik
Header dropping in traefik
# Impact
There exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse.
# Details
If you have a chain of Traefik middlewares, and one of them sets a request header `Important
ghsaosv
CVE-2025-66490P3MEDIUM≥ 0, ≤ 1.7.342025-12-08
CVE-2025-66490 [MEDIUM] CWE-436 Path Normalization Bypass in Traefik Router + Middleware Rules
Path Normalization Bypass in Traefik Router + Middleware Rules
## Impact
There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set **('/', '\', 'Null', ';', '
ghsaosv
CVE-2026-29777P3MEDIUM≥ 0, ≤ 1.7.342026-03-11
CVE-2026-29777 [MEDIUM] CWE-74 Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values
## Summary
There is a potential vulnerability in Traefik's Kubernetes Gateway provider related to rule injection.
A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query para
ghsaosv
CVE-2026-41174P3MEDIUM≥ 0, ≤ 1.7.342026-04-24
CVE-2026-41174 [MEDIUM] CWE-653 Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding
## Summary
There is a vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement.
When `providers.kubernetesCRD.allowCrossNamespace=false`, Traefik correctly rejects direct cross-namespace middleware references from `IngressRoute` objects, but fails to apply the same restriction
ghsa
1 / 2Next →