cbcvebase.

Github.Com Traefik Traefik vulnerabilities

25 known vulnerabilities affecting github.com/traefik_traefik.

Total CVEs
25
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH11MEDIUM11

Vulnerabilities

Page 1 of 2
CVE-2026-39858P2HIGH≥ 0, ≤ 1.7.342026-04-24
CVE-2026-39858 [HIGH] CWE-290 Traefik: Pre-authentication decision bypass due to forwarded alias spoofing Traefik: Pre-authentication decision bypass due to forwarded alias spoofing ## Summary There is a high severity authentication bypass vulnerability in Traefik's `ForwardAuth` and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., `X-Forwarded-Proto`) and does not strip or normalize alias variants that use unders
ghsa
CVE-2026-53622P2HIGH≥ 0, ≤ 1.7.342026-06-16
CVE-2026-53622 [HIGH] CWE-288 Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts ## Summary There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration
ghsa
CVE-2026-35051P2HIGH≥ 0, ≤ 1.7.342026-04-24
CVE-2026-35051 [HIGH] CWE-345 Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication ## Summary There is a high-severity authentication bypass vulnerability in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy. While `X-Forwarded-*` headers (such as `X-
ghsa
CVE-2026-44774P2MEDIUM≥ 0, ≤ 1.7.342026-05-13
CVE-2026-44774 [MEDIUM] CWE-284 Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false ## Summary There is a medium severity vulnerability in Traefik's Kubernetes Gateway API provider that allows a tenant with `HTTPRoute` creation permissi
ghsa
CVE-2025-47952P3HIGHCVSS 8.8≥ 0, ≤ 1.7.342025-05-28
CVE-2025-47952 [HIGH] CWE-22 Traefik allows path traversal using url encoding Traefik allows path traversal using url encoding ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewa
ghsaosv
CVE-2025-68121P3CRITICALCVSS 10.0≥ 0, ≤ 1.7.342026-02-20
CVE-2025-68121 [CRITICAL] CWE-1395 Traefik affected by TLS ClientAuth Bypass on HTTP/3 Traefik affected by TLS ClientAuth Bypass on HTTP/3 ### Summary There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121). ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.37 - https://github.com/traefik/traefik/releases/tag/v3.6.8 ## Workarounds No workaround ## For more information
ghsaosv
CVE-2025-32431P3HIGH≥ 0, ≤ 1.7.342025-04-21
CVE-2025-32431 [HIGH] CWE-22 Traefik has a possible vulnerability with its path matchers Traefik has a possible vulnerability with its path matchers ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a `/../` in its path, it’s possible to target a backend, exposed using another router, by-passing th
ghsaosv
CVE-2026-40912P3HIGH≥ 0, ≤ 1.7.342026-04-24
CVE-2026-40912 [HIGH] CWE-706 Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync ## Summary There is a high severity authentication bypass vulnerability in Traefik's `StripPrefixRegex` middleware when used in combination with `ForwardAuth`, `BasicAuth`, or `DigestAuth`. The middleware matches the regex against the decoded URL path but uses the resulting byte length to s
ghsa
CVE-2020-15129P3MEDIUMPoC≥ 1.5.0-rc5, < 1.7.262022-02-11
CVE-2020-15129 [MEDIUM] CWE-601 Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header ## Summary There exists a potential open redirect vulnerability in Traefik's handling of the `X-Forwarded-Prefix` header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisonin
ghsaosv
CVE-2024-24790P3CRITICALCVSS 9.8≥ 0, < 2.11.42024-06-11
CVE-2024-24790 [CRITICAL] CWE-180 Traefik has unexpected behavior with IPv4-mapped IPv6 addresses Traefik has unexpected behavior with IPv4-mapped IPv6 addresses ### Impact There is a vulnerability in [Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses](https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ). They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms. ### Referen
ghsaosv
CVE-2019-12452P3HIGH≥ 1.7.0, < 1.7.122022-05-24
CVE-2019-12452 [HIGH] CWE-522 Containous Traefik Exposes Password Hashes Containous Traefik Exposes Password Hashes types/types.go in Containous Traefik 1.7.x through 1.7.11, when the `--api` flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by readi
ghsaosv
CVE-2024-45410P3CRITICALCVSS 9.8≥ 0, < 2.11.92024-09-19
CVE-2024-45410 [CRITICAL] CWE-345 HTTP client can manipulate custom HTTP headers that are added by Traefik HTTP client can manipulate custom HTTP headers that are added by Traefik ### Impact There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers (except the header X-Forwarded-For). ### Patches - https://github.com/traefik/traefik/releases/tag/v2.11.9 - https://github.com/traefik/traefik/releases/tag/v3.1.3 ### Workarounds No workaround. ### For more i
ghsaosv
CVE-2023-39325P3HIGHCVSS 7.5≥ 0, < 2.10.5≥ 3.0.0-beta1, < 3.0.0-beta42023-10-17
CVE-2023-39325 [HIGH] CWE-400 Traefik vulnerable to HTTP/2 request causing denial of service Traefik vulnerable to HTTP/2 request causing denial of service ### Impact A vulnerability CVE-2023-39325 exists in [Go managing HTTP/2 requests](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ?pli=1), which impacts Traefik. This vulnerability could be exploited to cause a denial of service. ### References - [CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487) - [
ghsaosv
CVE-2018-15598P3HIGH≥ 1.6.0, < 1.6.62022-05-13
CVE-2018-15598 [HIGH] CWE-287 Traefik Missing Authentication Traefik Missing Authentication Containous Traefik 1.6.x before 1.6.6, when `--api` is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
ghsaosv
CVE-2024-28869P3HIGH≥ 0, < 2.11.22024-04-12
CVE-2024-28869 [HIGH] CWE-404 Traefik vulnerable to denial of service with Content-length header Traefik vulnerable to denial of service with Content-length header There is a potential vulnerability in Traefik managing requests with `Content-length` and no `body` . Sending a `GET` request to any Traefik endpoint with the `Content-length` request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.
ghsaosv
CVE-2026-54761P3MEDIUM≥ 0, ≤ 1.7.342026-06-17
CVE-2026-54761 [MEDIUM] CWE-284 Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services ## Summary There is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the `crossProviderNamespaces` allowlist. For `HTTPRoute` rules that declare multiple (WRR) backen
ghsa
CVE-2021-32813P3MEDIUM≥ 0, ≤ 1.7.302021-08-05
CVE-2021-32813 [MEDIUM] CWE-913 Header dropping in traefik Header dropping in traefik # Impact There exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse. # Details If you have a chain of Traefik middlewares, and one of them sets a request header `Important
ghsaosv
CVE-2025-66490P3MEDIUM≥ 0, ≤ 1.7.342025-12-08
CVE-2025-66490 [MEDIUM] CWE-436 Path Normalization Bypass in Traefik Router + Middleware Rules Path Normalization Bypass in Traefik Router + Middleware Rules ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set **('/', '\', 'Null', ';', '
ghsaosv
CVE-2026-29777P3MEDIUM≥ 0, ≤ 1.7.342026-03-11
CVE-2026-29777 [MEDIUM] CWE-74 Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values ## Summary There is a potential vulnerability in Traefik's Kubernetes Gateway provider related to rule injection. A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query para
ghsaosv
CVE-2026-41174P3MEDIUM≥ 0, ≤ 1.7.342026-04-24
CVE-2026-41174 [MEDIUM] CWE-653 Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding ## Summary There is a vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When `providers.kubernetesCRD.allowCrossNamespace=false`, Traefik correctly rejects direct cross-namespace middleware references from `IngressRoute` objects, but fails to apply the same restriction
ghsa
Github.Com Traefik Traefik vulnerabilities | cvebase