cbcvebase.

Github.Com Traefik Traefik V2 vulnerabilities

47 known vulnerabilities affecting github.com/traefik_traefik_v2.

Total CVEs
47
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH20MEDIUM21LOW1

Vulnerabilities

Page 1 of 3
CVE-2023-45288P2HIGHCVSS 7.5≥ 0, < 2.11.22024-04-15
CVE-2023-45288 [HIGH] Traefik affected by HTTP/2 CONTINUATION flood in net/http Traefik affected by HTTP/2 CONTINUATION flood in net/http There is a potential vulnerability in Traefik managing HTTP/2 connections. More details in the [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288). ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.2 - https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5 ## Workarounds No workaround ## For more information If you ha
ghsaosv
CVE-2026-48020P2HIGH≥ 0, < 2.11.482026-06-11
CVE-2026-48020 [HIGH] CWE-288 Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization ## Summary There is a high severity vulnerability in Traefik's `StripPrefix` middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a `PathPrefix` rule and applies the `StripPrefix` middleware, a request path containing `..` or its percen
ghsa
CVE-2026-39858P2HIGH≥ 0, < 2.11.432026-04-24
CVE-2026-39858 [HIGH] CWE-290 Traefik: Pre-authentication decision bypass due to forwarded alias spoofing Traefik: Pre-authentication decision bypass due to forwarded alias spoofing ## Summary There is a high severity authentication bypass vulnerability in Traefik's `ForwardAuth` and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., `X-Forwarded-Proto`) and does not strip or normalize alias variants that use unders
ghsa
CVE-2026-53622P2HIGH≥ 0, ≤ 2.11.502026-06-16
CVE-2026-53622 [HIGH] CWE-288 Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts ## Summary There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration
ghsa
CVE-2026-33186P2CRITICALCVSS 9.1≥ 0, < 2.11.422026-03-29
CVE-2026-33186 [CRITICAL] CWE-1395 Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) ## Summary There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186). A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 `:path` pseudo-header omitting
ghsaosv
CVE-2026-35051P2HIGH≥ 0, < 2.11.432026-04-24
CVE-2026-35051 [HIGH] CWE-345 Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication ## Summary There is a high-severity authentication bypass vulnerability in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy. While `X-Forwarded-*` headers (such as `X-
ghsa
CVE-2026-44774P2MEDIUM≥ 0, < 2.11.462026-05-13
CVE-2026-44774 [MEDIUM] CWE-284 Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false ## Summary There is a medium severity vulnerability in Traefik's Kubernetes Gateway API provider that allows a tenant with `HTTPRoute` creation permissi
ghsa
CVE-2025-47952P3HIGHCVSS 8.8≥ 0, < 2.11.252025-05-28
CVE-2025-47952 [HIGH] CWE-22 Traefik allows path traversal using url encoding Traefik allows path traversal using url encoding ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewa
ghsaosv
CVE-2025-68121P3CRITICALCVSS 10.0≥ 0, < 2.11.372026-02-20
CVE-2025-68121 [CRITICAL] CWE-1395 Traefik affected by TLS ClientAuth Bypass on HTTP/3 Traefik affected by TLS ClientAuth Bypass on HTTP/3 ### Summary There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121). ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.37 - https://github.com/traefik/traefik/releases/tag/v3.6.8 ## Workarounds No workaround ## For more information
ghsaosv
CVE-2025-54386P2HIGH≥ 0, < 2.11.282025-08-01
CVE-2025-54386 [HIGH] CWE-22 Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution ### Summary A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with `../` sequences, an attacker can overwrite arbitrary files on the s
ghsaosv
CVE-2026-33433P3MEDIUM≥ 0, < 2.11.422026-03-27
CVE-2026-33433 [MEDIUM] CWE-290 Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField ## Summary There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when `headerField` is configured with a non-canonical HTTP header name. An authenticated attacker with valid credentials can inject the canonical version of the configured header t
ghsaosv
CVE-2025-32431P3HIGH≥ 0, < 2.11.232025-04-21
CVE-2025-32431 [HIGH] CWE-22 Traefik has a possible vulnerability with its path matchers Traefik has a possible vulnerability with its path matchers ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a `/../` in its path, it’s possible to target a backend, exposed using another router, by-passing th
ghsaosv
CVE-2026-40912P3HIGH≥ 0, < 2.11.432026-04-24
CVE-2026-40912 [HIGH] CWE-706 Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync ## Summary There is a high severity authentication bypass vulnerability in Traefik's `StripPrefixRegex` middleware when used in combination with `ForwardAuth`, `BasicAuth`, or `DigestAuth`. The middleware matches the regex against the decoded URL path but uses the resulting byte length to s
ghsa
CVE-2020-15129P3MEDIUMPoC≥ 0, < 2.3.0-rc6≥ 2.3.0-rc1, < 2.3.0-rc62022-02-11
CVE-2020-15129 [MEDIUM] CWE-601 Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header ## Summary There exists a potential open redirect vulnerability in Traefik's handling of the `X-Forwarded-Prefix` header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisonin
ghsaosv
CVE-2025-22871P3CRITICALCVSS 9.1≥ 0, < 2.11.242025-04-18
CVE-2025-22871 [CRITICAL] CWE-1395 Traefik affected by Go HTTP Request Smuggling Vulnerability Traefik affected by Go HTTP Request Smuggling Vulnerability ### Summary net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could
ghsaosv
CVE-2024-24790P3CRITICALCVSS 9.8≥ 0, < 2.11.42024-06-11
CVE-2024-24790 [CRITICAL] CWE-180 Traefik has unexpected behavior with IPv4-mapped IPv6 addresses Traefik has unexpected behavior with IPv4-mapped IPv6 addresses ### Impact There is a vulnerability in [Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses](https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ). They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms. ### Referen
ghsaosv
CVE-2026-29054P3HIGHCVSS 7.5≥ 2.11.9, < 2.11.382026-03-04
CVE-2026-29054 [HIGH] CWE-178 traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) ## Impact There is a potential vulnerability in Traefik managing the `Connection` header with `X-Forwarded` headers. When Traefik processes HTTP/1.1 requests, the protection p
ghsaosv
CVE-2024-45410P3CRITICALCVSS 9.8≥ 0, < 2.11.92024-09-19
CVE-2024-45410 [CRITICAL] CWE-345 HTTP client can manipulate custom HTTP headers that are added by Traefik HTTP client can manipulate custom HTTP headers that are added by Traefik ### Impact There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers (except the header X-Forwarded-For). ### Patches - https://github.com/traefik/traefik/releases/tag/v2.11.9 - https://github.com/traefik/traefik/releases/tag/v3.1.3 ### Workarounds No workaround. ### For more i
ghsaosv
CVE-2026-32695P3MEDIUM≥ 0, ≤ 2.11.422026-03-27
CVE-2026-32695 [MEDIUM] CWE-74 Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass ## Summary There is a potential vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection. User-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing a backti
ghsaosv
CVE-2026-27141P3HIGHCVSS 7.5≥ 0, < 2.11.402026-03-12
CVE-2026-27141 [HIGH] CWE-476 Traefik: HTTP/2 frames can cause a running server to panic Traefik: HTTP/2 frames can cause a running server to panic ## Summary More Details: - https://nvd.nist.gov/vuln/detail/CVE-2026-27141 - https://pkg.go.dev/golang.org/x/net/http2?tab=versions ## Patches - https://github.com/traefik/traefik/releases/tag/v3.6.10 - https://github.com/traefik/traefik/releases/tag/v2.11.40 ## For more information If you have any questions or comments about this advisory, ple
ghsaosv
Github.Com Traefik Traefik V2 vulnerabilities | cvebase